oversight

Systems of Internal Controls over Selected Recovery Act Funds in Puerto Rico

Published by the Department of Education, Office of Inspector General on 2010-12-16.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

               U.S. Department of Education
                Office of Inspector General


  American Recovery and Reinvestment Act of 2009
           Systems of Internal Controls over Selected
              Recovery Act Funds in Puerto Rico

                          Audit Report




                     Puerto Rico Capitol Building

ED-OIG/A04K0001                                     December 2010
                          UNITED STATES DEPARTMENT OF EDUCATION
                                OFFICE OF INSPECTOR GENERAL

                                                                                   Audit Services
                                                                                      Region IV
                                               December 16, 2010

Hon. Luis G. Fortuño
Governor of Puerto Rico
Office of the Governor
P.O. Box 9020082
San Juan, Puerto Rico 00902-0082

Hon. Jesús Rivera Sánchez
Secretary
Puerto Rico Department of Education
P.O. Box 190759
San Juan, Puerto Rico 00919-1759


Dear Hon. Fortuño and Hon. Rivera Sánchez:

This final audit report, Control Number ED-OIG/A04K0001, presents the results of our review of
the designed systems of State-level internal control over American Recovery and Reinvestment Act
funds in Puerto Rico for the Governor’s Office and the Puerto Rico Department of Education.

Statements that managerial practices need improvements, as well as other conclusions and
recommendations in this report, represent the opinions of the Office of Inspector General.
Determinations of corrective actions to be taken, including the recovery of funds, will be made
by the appropriate Department of Education officials in accordance with the General Education
Provisions Act.

If you have any additional comments or information that you believe may have a bearing on the
resolution of this audit, you should send them directly to the following Education Department
officials, who will consider them before taking final Departmental action on this audit:

                              Thelma Meléndez de Santa Ana, Ph.D.
                                        Assistant Secretary
                          Office of Elementary and Secondary Education
                                  U.S. Department of Education
                                   400 Maryland Avenue, S.W.
                                      Washington, DC 20202

                                        Alexa Posny, Ph.D.
                                        Assistant Secretary
                      Office of Special Education and Rehabilitative Services
                                  U.S. Department of Education
                                   400 Maryland Avenue, S.W.
                                      Washington, DC 20202
                                           Thomas Skelly
                                  Acting Chief Financial Officer
                                Office of the Chief Financial Officer
                                   U.S. Department of Education
                                    400 Maryland Avenue, S.W.
                                      Washington, DC 20202


It is the policy of the U. S. Department of Education to expedite the resolution of audits by initiating
timely action on the findings and recommendations contained therein. Therefore, receipt of your
comments within 30 days would be appreciated.

In accordance with the Freedom of Information Act (5 U.S.C. § 552), reports issued by the Office of
Inspector General are available to members of the press and general public to the extent information
contained therein is not subject to exemptions in the Act.

                                                Sincerely,

                                                /s/
                                                Denise M. Wempe
                                                Regional Inspector General for Audit
                Abbreviations/Acronyms Used in This Report
AP                      Accounts Payable
ARRA                    American Recovery and Reinvestment Act
ASSE                    Associate Secretariat of Special Education
C.F.R.                  Code of Federal Regulations
CFDA                    Catalog of Federal Domestic Assistance Number
CMIA                    Cash Management Improvement Act of 1990
CMU                     Compliance Monitoring Unit
COOP                    Continuity of Operations Plan
Computer Automation     Computer Automation Systems, Inc.
CPO                     Central Procurement Office
Department              U.S. Department of Education
ESF                     Education Stabilization Fund
FMU                     Fiscal Monitoring Unit
GDB                     Government Development Bank
Governor’s Office       Office of the Governor
GSF                     Government Services Fund
Hacienda                Departamento de Hacienda
                        (Puerto Rico Department of Treasury)
IDEA                    Individuals with Disability Education Act, Part B
MOE                     Maintenance of Effort
MU-OFA                  Monitoring Unit of the Office of Federal Affairs
OESE                    Office of Elementary and Secondary Education
OIG                     Office of Inspector General
OIPS                    Office for Improvement of Public Schools
OMB                     Office of Management and Budget
OSERS                   Office of Special Education and Rehabilitative Services
PRDE                    Puerto Rico Department of Education
PRIFA                   Puerto Rico Infrastructure Financing Authority
RMU                     Regional Monitoring Unit
SER                     Sociedad de Educación y Rehabilitación de Puerto Rico
                        (Society of Education and Rehabilitation)
SFSF                    State Fiscal Stabilization Fund
SIFDE                   Sistema Información Financiera del Departamento de Educación
                        (Financial Information System of the Department of Education)
SEA                     State Educational Agency
Title I                 Title I, Part A of the Elementary and Secondary Education Act
TSA                     Treasury State Agreement
UPR                     University of Puerto Rico
U.S. Treasury           U.S. Department of the Treasury
VRA                     Vocational Rehabilitation Administration
Audit Report
ED-OIG / A04K0001                                                                                            Page 1 of 28
                                                        PURPOSE

The American Recovery and Reinvestment Act of 2009 (ARRA) places a heavy emphasis on
accountability and transparency, and in doing so, increases the overall responsibilities of agencies
impacted by the Act. The U.S. Department of Education (Department) is responsible for ensuring that the
education-related ARRA funds reach intended recipients and achieve intended results. This includes
effective implementation and control of funds at the Federal level, as well as ensuring that recipients
understand requirements and have proper controls in place for 1) administering and reporting ARRA
funds, and 2) promptly identifying and mitigating instances of fraud, waste, and abuse of the funds.

The purpose of our review was to determine whether agencies charged with responsibility for overseeing
ARRA funds have designed systems of internal control that are sufficient to provide reasonable assurance
of compliance with applicable laws, regulations, and guidance. Proper internal controls are essential for
ensuring ARRA funds are adequately administered and used in ways that coincide with the intent of
ARRA. This report provides the results of our review of the Puerto Rico Department of Education
(PRDE), the Commonwealth of Puerto Rico’s Office of the Governor (Governor’s Office), and three of
the Governor’s Office’s subgrantees. 1 We focused our review on the design of State-level controls over
data quality, cash management, subrecipient monitoring, and use of funds. These controls cover the key
aspects for proper administration of ARRA funds for Title I Part A of the Elementary and Secondary
Education Act (Title I); Individuals with Disability Education Act Part B (IDEA); 2 and the State Fiscal
Stabilization Fund (SFSF) programs.

Because ARRA was in its early stages when we started our review in June 2009, the Governor’s Office
requested additional time before we started our review of controls related to the SFSF program. The
Governor’s Office stated that it had established general controls to provide reasonable assurance that
SFSF funds would be used in accordance with the requirements governing ARRA; however, it was
waiting to receive the grant award notifications to implement more specific controls. Therefore, we
focused our first ARRA audit in Puerto Rico on the designed systems for the Vocational Rehabilitation
Administration’s (VRA) controls over those funds. The results of our work at the VRA were presented in
a report issued on December 14, 2009. 3 In October 2009, we started our review of controls at the
Governor’s Office and three of its subgrantees, including PRDE as both subgrantee of SFSF and grantee
of Title I and IDEA funds.

                                             RESULTS IN BRIEF

In our assessment of the designed systems of internal control, 4 we found that officials from the
Governor’s Office and its subgrantees, including PRDE, were working diligently and proactively to
ensure proper administration of ARRA funds. Specifically, the Puerto Rico Government created a Task
Force to oversee ARRA administration in Puerto Rico. The Task Force operates through the Puerto Rico
Infrastructure Financing Authority (PRIFA), which was legally designated to provide support and
guidance to government agencies, public corporations, and municipalities managing ARRA funded

1
  PRDE, the Puerto Rico Infrastructure Financing Authority, and the University of Puerto Rico.
2
  IDEA includes only Grants to States.
3
  The Puerto Rico Recovery Act Audit, Vocational Rehabilitation Administration Audit Report, ACN: A04J0009 can be found
at: http://www2.ed.gov/about/offices/list/oig/areports.html under the Office of Special Education and Rehabilitative Services.
4
  We reviewed planned systems of internal controls for ARRA funds at PRDE, for the Title I and IDEA programs, and at the
Governor’s Office for the SFSF.
Audit Report
ED-OIG / A04K0001                                                                             Page 2 of 28

projects and programs. The Governor’s Office (1) created a Web site 5 to provide information to the
public about the uses of ARRA funds, and (2) provided training to subgrantees on ARRA compliance. In
addition, a government-wide database was created to collect data from all government agencies to
facilitate the compilation and review of information, as well as to assist in making the data available to the
public. Agencies receiving ARRA funds were required to submit monthly reports to the Governor’s
Office to be reviewed by Task Force personnel. This review was intended to ensure reported data were
accurate and reliable before grantees of ARRA funds submitted quarterly reports to the Federal reporting
Web site in accordance with Section 1512 of ARRA. The Governor’s Office’s quarterly report included
information for all of its subgrantees. We commend PRIFA for its invoice review process and its
immediate actions to address and resolve violations of the Davis Bacon Act. As discussed in the Other
Matters section of this report, PRIFA’s review identified violations of the Davis Bacon Act and it took
immediate actions to address the issue.

Despite the positive efforts taken thus far on ARRA, we found that the Governor’s Office and its
subgrantees, including PRDE, needed to strengthen systems of internal control to ensure ARRA funds are
properly administered. Specifically, we found that –

      •   The Governor’s Office had insufficient controls over cash management;
      •   PRDE and the Governor’s Office did not sufficiently monitor their use of ARRA funds and
          subgrantees to ensure adequate oversight;
      •   PRDE was not effectively monitoring the procurement process;
      •   PRDE lacked documentation to support payments made with IDEA ARRA funds and compliance
          with the contract awarding requirements included in Section 1554 of ARRA; 6 and
      •   PRDE and the Governor’s Office, including PRIFA, had insufficient internal controls for
          safeguarding information.

Because our review was limited to assessing the design of the internal controls over data quality, cash
management, subrecipient monitoring, and use of funds, there may be weaknesses in other areas not
reviewed.

In response to the preliminary audit report, the Governor’s Office disagreed with our findings and
recommendations and PRDE disagreed in part with our findings and recommendations. However, both
responses included proposed corrective actions to resolve the findings, comply with the requirements of
ARRA, and/or improve operations.

Based on the comments and the additional documentation received, we converted the Preliminary report
Finding 1 related to the Governor’s Office and two sub-sections in the Preliminary Finding 3 related to
PRDE – “No Written Procedures – Calculating and Remitting Earned Interest Timely” and “No Written
Procedures – Verifying Payments Before Requesting Reimbursement” to the Other Matters section in the
report; and renumbered the Preliminary report Findings 2, 3, 4, 5, and 6 – Finding 2 was moved to


5
    www.buengobiernopr.com.
6
    ARRA Section 1554 requires that ARRA funded contracts be   awarded as fixed price contracts through the
use of competitive procedures.
Audit Report
ED-OIG / A04K0001                                                                          Page 3 of 28

Finding 5 and Findings 3 – 6 are now Findings 1 – 4. In addition, we revised the renumbered Findings 2,
3, and 4 as follows.

   •   Finding 2 (Preliminary Finding 4) and the related recommendations to reflect PRDE’s
       responsibilities to monitor grant and subgrant supported activities to ensure compliance with
       applicable Federal requirements;
   •   Finding 3 (Preliminary Finding 5) to clarify Article 81 of PRDE’s Procurement Policies and
       Procedures; and
   •   Finding 4 (Preliminary Finding 6) and the related Recommendations 4.1 and 4.2 to emphasize that
       PRDE did not provide sufficient documentation to support that services were rendered in
       accordance with any agreement established between PRDE and Computer Automation Systems,
       Inc. (Computer Automation), and that PRDE complied with Section 1554 of ARRA.

The comments are summarized at the end of each finding. The entire narrative of the Governor’s Office
and PRDE’s comments are included as Enclosures to this report.

                                           BACKGROUND

ARRA was signed into law on February 17, 2009, in an unprecedented effort to jumpstart the American
economy. ARRA has three immediate goals: (1) create new jobs and save existing ones,
(2) spur economic activity and invest in long-term growth, and (3) foster unprecedented levels of
accountability and transparency in government spending. To ensure transparency and accountability of
ARRA spending, recipients are required under Section 1512 of ARRA to submit quarterly reports on
ARRA awards, spending, and jobs impact. According to the Office of Management and Budget (OMB),
the reports, which contain specific detailed information on the projects and activities funded by ARRA,
will provide the public with an unprecedented level of transparency into how Federal dollars are being
spent. They will also help drive accountability for the timely, prudent, and effective spending of ARRA
funds.

Puerto Rico is expected to receive $1.3 billion in education-related ARRA funds. Data in Table 1 and
Table 2 are restricted to funds related to the Title I, IDEA, and SFSF programs as the audit scope is
limited to the review of these programs. On April 1, 2009, the Department released 50 percent of the
ARRA funds for the Title I and IDEA programs. The remaining funds were released on August 31, 2009.
PRDE administered the Title I and IDEA grant funds and was allocated $386.4 million and $109.1
million, respectively (See Table 1).

                                 Table 1 – ARRA Allocations to PRDE
       CFDA NO.                               PROGRAM                               AMOUNT ($)
        84.389A       Title I Grants to Local Educational Agencies                    386,407,681
        84.391A       Special Education State Grants                                  109,098,472
                      TOTAL                                                          $495,506,153

In addition, the Governor’s Office was allocated $647.6 million in SFSF funds, which included $529.7
million (81.8 percent) for the Education Stabilization Fund (ESF) and $117.9 million (18.2 percent) for
the Government Services Fund (GSF) (See Table 2).
Audit Report
ED-OIG / A04K0001                                                                                           Page 4 of 28

                 Table 2 – ARRA Allocations to the Puerto Rico Governor’s Office 7
        CFDA NO.                            PROGRAM                          AMOUNT ($)
         84.394A     Education Stabilization Fund                                529,741,859
         84.397A     Government Services Fund                                    117,864,326
                     TOTAL                                                     $647,606,185

The Governor's Office identified six subrecipients for the $647.6 million in SFSF funds received (See
table 3).

            Table 3 – Governor’s Office Subrecipeints of SFSF for Fiscal Year 2009-2010
       CFDA NO.                              PROGRAM                           AMOUNT ($)
      84.394A (ESF) 1. Puerto Rico Department of Education                        359,302,000
      84.394A (ESF) 2. University of Puerto Rico of Puerto Rico                   105,000,000
      84.394A (ESF) 3. Conservatory of Music of Puerto Rico                         1,583,000
      84.394A (ESF) 4. School of Plastic Arts                                         798,000
                      Leftover for obligation in fiscal year 2010-2011             63,058,859
      84.397A (GSF) 5. Puerto Rico Infrastructure Financing Authority              86,786,326
      84.397A (GSF) 6. Puerto Rico Police Department                               31,078,000
                      TOTAL                                                      $647,606,185

                                    FINDINGS AND RECOMMENDATIONS

FINDING NO. 1 – Insufficient Controls Over Cash Management

Although the Governor’s Office had an acceptable payment system in place to meet its immediate cash
needs and those of its subgrantees for ARRA funds, the Governor’s Office did not have written
procedures for the payment process. Specifically, the Governor’s Office had no written procedures
documenting the payment process, including requirements for the payment method (reimbursement or
advance).

The Governor’s Office, as the prime recipient of ARRA SFSF, used the reimbursement method to fund its
subgrantees under the SFSF. The Governor’s Office required its subgrantees to submit requests for
reimbursement accompanied by supporting documentation of expenditures. The supporting
documentation was reportedly reviewed by staff of the Governors’ Office before funds were drawn down
from the U.S. Treasury and paid to the subgrantees. According to Article IV of the Memorandum of
Understanding between the Governor’s Office and subgrantees, subgrantees must prepare and submit to
the Governor’s Office a drawdown request indicating the exact amount of funds requested.

In our review of the Governor’s Office cash drawdowns as of October 2009, which consisted of 14
drawdowns totaling $74.8 million, we found that 1 PRDE and 4 University of Puerto Rico (UPR) requests
for cash drawdowns (as subgrantees) did not include adequate supporting documentation to provide
reasonable assurance that payments had been made before the subgrantees requested reimbursement.
7
  On May 27, 2009, the Department made available to the Governor’s Office $433.9 million (67 percent of its total allocation)
in SFSF, which included $354.9 million in ESF and $79 million GSF. On July 1, 2009, the Department made available
remaining 33 percent in GSF ($38.9 million). On September 27, 2010, the Department made available the remaining
33 percent in ESF ($174.8 million) to the Governor’s Office.
Audit Report
ED-OIG / A04K0001                                                                                         Page 5 of 28

Specifically, the requests did not include documentation indicating that the services for which the funds
were requested had been provided and paid by PRDE and the UPR. PRDE’s request included a document
entitled “Reporting Information for the Puerto Rico Stabilization Fund.” Although the document included
important information, 8 it did not include the purpose for which the funds were used and was not signed
by an authorized official. UPR’s request included a list of the positions and salaries, as the basis for the
reimbursement; however, there was no evidence that the list had been reviewed and verified as accurate
and complete. In summary, there was no evidence to indicate the Governor’s Office reviewed
subgrantees’ documentation for accuracy and completeness prior to its reimbursement of reported
expenditures.

According to 34 Code of Federal Regulations (C.F.R.) § 80.20(a),
        …Fiscal control… must be sufficient to: (2) Permit the tracing of funds to a level of
        expenditures adequate to establish that such funds have not been used in violation of the
        restrictions and prohibitions of applicable statutes.

Further, 34 C.F.R. § 80.21 states that
        the payment system must consist of methods and procedures which minimize the time elapsing
        between the transfer of funds from the U.S. Treasury and disbursement by the grantee or sub-
        grantee.

The regulations identify reimbursement as the preferred method of payment but allow for cash advances if
the grant recipients demonstrate the willingness and ability to maintain procedures to minimize the time
between receipt and disbursement of funds to pay program costs.

Officials in the Governors’ Office acknowledged that subgrantees were orally instructed to submit
supporting documentation with their requests for funds and that there were no written procedures to
facilitate or document a review of subgrantee submissions. Without written guidance and procedures, we
found that subgrantees did not submit documentation necessary to support reimbursement of incurred
expenditures. Also, without written procedures for documenting the Governor’s Office’s review,
subgrantees may not be adequately and consistently monitored. Documented procedures are necessary to
establish and communicate controls to ensure consistent and effective processes and system continuity.

Recommendation

We recommend that the Assistant Secretary for OESE in conjunction with the Office of the Chief
Financial Officer require—

1.1   The Governor’s Office to develop written procedures for documenting its payment and review
      process to include detailing the type of documentation subgrantees need to provide to support a
      request for payment and to minimize the time elapsing between the receipt and payout of funds.




8
 The document included the name of the agency, grant award number, CFDA, project name, Data Universal Numbering
System, project grant period, award date, amount of award, the amount expended for the month, and the name of the Finance
Director with no signature.
Audit Report
ED-OIG / A04K0001                                                                            Page 6 of 28

Governor’s Office Comments

The Governor’s Office disagreed with the finding, stating that it has written procedures for the ARRA
payment process. Specifically, as part of the terms and conditions of the contracts with its subgrantees,
the Governor’s Office stated that Article IV Disbursement Duties requires that its subgrantees –
      •    Agree that the grant received from the Governor’s Office will be managed separately from the rest
           of subgrantee’s funds.
      •    Acknowledge that grant funds will not be disbursed until a drawdown request form is completed
           and delivered to the Governor’s Office. The drawdown form will provide the Governor’s Office
           with the exact amount of the disbursement to be made to the subgrantee and disbursement will not
           be authorized without delivery of a fully completed drawdown form.

The Governor’s Office added that it has begun to strictly enforce the terms and conditions for
disbursement contracts, including requiring documentation for the intended use of funds and official
certification.

According to the Governor’s Office, it follows the Puerto Rico Department of Treasury’s (Hacienda) 9
cash management and payment procedures when managing SFSF transactions. In addition, the
Governor’s Office stated that it has offered technical assistance to its subgrantees on the payment
procedures and the SFSF-specific drawdown flowcharts. The Governor’s Office added that the
monitoring plan for the SFSF, Part C, dated March 10, 2010, explains the drawdown process. However,
in response to the finding, the Governor’s Office stated that it implemented an SFSF drawdown request
review checklist and prepared written procedures detailing the drawdown process.

OIG Response

We determined that the response provided by the Governor’s Office did not warrant a change to our
finding and recommendations. In response to PRDE’s comments, we moved two sub-sections of the
finding to the Other Matters section of the report – “No Written Procedures – Calculating and Remitting
Earned Interest Timely” and “No Written Procedures – Verifying Payments Before Requesting
Reimbursement.”

We acknowledge that the Governor’s Office, as the prime recipient of ARRA SFSF, had established
agreements with its subgrantees as required under Article IV of the Memorandum of Understanding.
However, the disbursement requirements in those agreements established only that the grant received
from the Governor’s Office would be managed separately from the rest of the funds and that subgrantees
needed to submit a complete drawdown request form. The agreements did not establish the requirements
for the (1) payment method to be used to fund subgrantees (reimbursement or advance); (2) submission of
supporting documentation for the reimbursement request to ensure costs were paid before requesting
reimbursement from the Department; and (3) process to minimize the time elapsed between receipt and
disbursement of Federal funds. Therefore, the Governor’s Office lacked controls for the ARRA payment
process, and the documentation submitted by the subgrantees did not provide reasonable assurance that
payments had been made before the subgrantees requested reimbursement.



9
    Hacienda is the abbreviation for the agency’s name, “Departamento de Hacienda.”
Audit Report
ED-OIG / A04K0001                                                                                      Page 7 of 28

The Governor’s Office stated that it is strictly enforcing the terms and conditions for disbursement
contracts, including requiring documentation for the intended use of funds and official certification. It
added that it has implemented an SFSF drawdown request review checklist and prepared written
procedures detailing the drawdown process. We commend the Governor’s Office for its immediate action
to implement corrective actions.

FINDING NO. 2 ─ Insufficient Monitoring to Ensure Adequate Oversight of ARRA Funds

PRDE and the Governor’s Office had not developed a sufficient plan to monitor and provide adequate
oversight of the $1.3 billion in education-related ARRA funds. Specifically, PRDE did not have a
sufficient plan for monitoring its use of ARRA funds, and the Governor’s Office monitoring plan and tool
lacked key steps necessary to ensure ARRA compliance.

Insufficient Plan for Monitoring Prime Recipient’s Use of ARRA Funds

We found that PRDE had not developed a sufficient plan for monitoring its use of ARRA funds to ensure
compliance with the requirements governing ARRA funding. Specifically, PRDE had not modified the
existing program monitoring guides to cover Title I and IDEA ARRA funds and did not have a sufficient
level of adequately trained staff assigned to its monitoring units.

Incomplete Monitoring Guides

PRDE’s Title I and the Associate Secretariat of Special Education (ASSE) monitoring units had not
modified their monitoring plan and guides to provide reasonable assurance of compliance with ARRA
requirements, including the new reporting requirements for the $386.4 million in Title I and $109.1
million in IDEA ARRA funds 10 PRDE was expecting to receive. In addition, we found that the ASSE
monitoring unit responsibilities did not include monitoring compliance with the Maintenance of Effort
(MOE) requirements to ensure that Federal funds are used to provide additional educational services
beyond those services normally provided by PRDE. To comply with MOE requirements, PRDE is
responsible for meeting the State financial support requirement in 34 C.F.R. § 300.163. For State
Educational Agencies (SEA), the comparison is the amount of State financial support provided (amount
made available) for special education and related services from year to year, regardless of the amount
actually expended. 11

PRDE officials believed there was no need to modify the monitoring guides because the Title I and IDEA
ARRA funds would be used for the same activities for which regular funds are used. However, PRDE is
responsible for the monitoring grant and subgrant supported activities to ensure compliance with
applicable Federal requirements and achievement of performance goals, including ARRA goals.

The lack of complete monitoring guides reduces the effectiveness of PRDE’s monitoring and oversight of
Federal funds, including ARRA funds. As a result, PRDE could fail to identify instances of significant
internal control weaknesses in programmatic and fiscal aspects which can lead to fraud.



10
   These amounts refer only to CFDA numbers 84.389A (Title I Grants to Local Educational Agencies) and 84.391A (Special
Education State Grants).
11
   Different programs calculate MOE differently as a condition of receiving Federal grant funds.
Audit Report
ED-OIG / A04K0001                                                                           Page 8 of 28

Insufficient Staffing

At the beginning of August 2009, the Coordinator of the Title I Compliance Monitoring Unit (CMU), the
Coordinator of the Monitoring Unit of the Office of Federal Affairs (MU-OFA), and 89
Title I Auxiliary Superintendents and Regional Coordinators that comprised the Regional Monitoring
Unit (RMU) were reassigned to fill school-level positions. As a result, the staffing of the units charged
with monitoring the implementation of the Title I program at all levels was significantly reduced. It was
not until February 2010 that the RMU resumed operations.

According to PRDE officials and a document entitled “Narrative to Accompany 2007 Compliance
Agreement Plan Submission” that included the RMU’s monitoring and staffing plan, the RMU’s staffing
plan consisted of one regional coordinator per region for a total of 7, 4 fiscal monitors per region for a
total of 28, and 89 district superintendents for a total of 124. However, as of March 2010, these positions
were not completely staffed and the personnel assigned had not received formal training on ARRA
provisions. Although PRDE began filling the RMU’s positions, the RMU remains insufficiently staffed
to effectively monitor Title I ARRA funds. Also, as of March 2010, the RMU’s composition had been
reduced from the original staffing plan of 124 to 41 monitors. The new RMU no longer included district
superintendents and fiscal monitors but was composed of 7 regional monitoring leaders and 34 monitors
for a total of 41 as shown in Table 3.

                     Table 3 – Composition of New RMU and New Position Titles
                                         Regional
                     Region        Monitoring Leaders          Monitors


             Arecibo                                 1                                 7
             Bayamón                                 1                                 4
             Caguas                                  1                                 5
             Humacao                                 1                                 4
             Mayaguez                                1                                 5
             Ponce                                   1                                 3
             San Juan                                1                                 6
             Total                                   7                                34

The monitoring plan states that a staffing plan will be developed to ensure that the regional units remain
staffed at optimal levels and that the processes underlying the implementation of Title I programs are
controlled. However, PRDE had not fully staffed the RMU after the reassignment of the Title I Auxiliary
Superintendents and Regional Coordinators to school-level positions and had not provided ARRA related
training.

In addition, the ASSE CMU Director stated that the CMU needed additional staff to effectively monitor
the IDEA program. According to the Director of the ASSE’s CMU, the unit needed at least two more
General Supervisors and two Specialists in Educational Research. 12 Although requests for additional staff
had been made to previous 13 Associate Secretaries of Special Education, no actions had been taken. In
addition, assigned personnel had not received formal training on ARRA provisions. As of July 2010, the
12
     The personnel selected for these positions would be performing monitoring functions.
13
     Associate Secretaries assigned before February 2010.
Audit Report
ED-OIG / A04K0001                                                                                                  Page 9 of 28

ASSE CMU consisted of five officials. 14 Without a sufficient number of adequately trained personnel on
ARRA provisions in both the RMU and CMU, PRDE cannot effectively monitor the use of ARRA funds.

Monitoring Plan and Tool Lacked Key Steps Necessary to Ensure ARRA Compliance

The Governor’s Office developed a monitoring plan and tool to ensure subgrantee’s compliance with the
requirements governing ARRA funding and the proper use of funds. However, the monitoring plan and
tool do not include key steps necessary to ensure compliance with ARRA requirements.

We found that the monitoring plan and monitoring tool developed did not include steps to ensure –

       •   Compliance with ARRA reporting including
             o the methodology employed to estimate the employment impact of ARRA funded work;
                 and
             o adherence to the requirements of Section 1512 of ARRA and the reliability of subgrantees’
                 data.
       •   Subgrantees have written policies and procedures for their accounting systems.
       •   Subgrantees’ financial records are properly maintained, reviewed, and up-to-date.
       •   Subgrantees’ accounting systems contain sufficient information and reflect proper accounting
           treatment of financial transactions, including
               o Bank account and cash balances;
               o Disbursement details, including date, payee, name, account, expense classification, and
                  other relevant information;
               o Separate accounting for funds from different sources, including ARRA;
               o Comparison of outlays against budgets;
               o Initial recording and subsequent clearing of cash advances;
               o Accrual of expenditures to match cost to their proper award period; and
               o Subgrantees’ financial statements audited by an independent public accountant.
       •   Subgrantees have a human resource/payroll system with clear and comprehensive policies and
           procedures, as well as, appropriate and adequate effort reporting systems, to include proper review
           and approval of time allocation.

A monitoring plan and tool provide assurance that controls are in place to reduce the risk of
noncompliance. However, an insufficient monitoring plan and tool indicate that the programs may not be
adequately monitored, which increases both the risk of noncompliance with requirements governing
ARRA and the possibility of waste, fraud, and abuse.

Title 34 C.F.R. § 80.40(a) requires States to monitor subgrantees to ensure compliance with applicable
Federal requirements. Specifically,
           Grantees are responsible for managing the day-to-day operations of grant and subgrant supported
           activities. Grantees must monitor grant and subgrant supported activities to assure compliance
           with applicable Federal requirements and that performance goals are being achieved. Grantee
           monitoring must cover each program, function or activity.


14
     There had been six officials in May 2010, but the Director retired at the end of June and the position has not been filled.
Audit Report
ED-OIG / A04K0001                                                                             Page 10 of 28

Recommendations

We recommend that the Assistant Secretary for OESE in coordination with the Assistant Secretary for
OSERS require—

2.1     PRDE to ensure the RMU and the ASSE CMU are staffed and trained to effectively monitor the use
        of ARRA funds;

2.2     PRDE to revise the Title I and IDEA monitoring guides to include ARRA provisions to ensure that
        the use of funds is adequately monitored and in compliance with the requirements governing
        ARRA, including MOE requirements; and

2.3     The Governor’s Office to expand the scope of its current monitoring plan and monitoring tool to
        address steps not included in the reporting, accounting, and financial areas to ensure that grant and
        subgrant activities comply with the requirements governing ARRA.

Governor’s Office Comments

The Governor’s Office disagreed with the finding, stating that the draft erroneously alleged that its
monitoring plan and tool lacked key steps necessary to ensure ARRA compliance. According to its
response, the Governor’s Office provided the audit team with the preliminary draft of a monitoring plan,
which was later revised after the Department issued its monitoring plan for the SFSF in February 2010.
The Governor’s Office stated that the monitoring plan was revised to incorporate all the components that
the grantor would be using to monitor subgrantees, and that it will be using the same parameters
established by the Department to monitor its subgrantees.

In March 2010, the Governor’s Office submitted the final version of its monitoring plan. Although the
monitoring plan is pending Department’s approval, the Governor’s Office stated that it proceeded to
implement the monitoring plan with its subgrantees to ensure compliance with the requirements
governing ARRA. The Governor’s Office provided a copy of the revised plan and monitoring tools
describing the monitoring process and necessary steps to ensure ARRA compliance.

PRDE Comments

Although PRDE disagreed with the finding related to its monitoring guides, PRDE acknowledged that it
monitored Title I and IDEA ARRA funds using its regular Title I and IDEA monitoring procedures.
PRDE stated that it currently monitors its ARRA Title I funds according to the Monitoring Procedures
Manual for funds administered at the OFA. OFA’s RMU monitors ARRA Title I funds according to the
monitoring calendar, which was developed using a risk-based analysis. The RMU updated the
Monitoring Procedures Manual to ensure that the use of both regular and ARRA Title I funds are
adequately monitored in compliance with Federal requirements. PRDE stated that the manual is under
review and final approval was expected by October 31, 2010. 15

PRDE stated that it agrees with the draft’s recommendation that additional staff are needed to assist the
RMU with the programmatic monitoring visits. However, until additional staff are hired, the MU-OFA


15
     As of November 3, 2010, PRDE had not provided evidence of final approval.
Audit Report
ED-OIG / A04K0001                                                                         Page 11 of 28

has provided, and will continue to provide, the necessary assistance to the RMU in its monitoring
activities to comply with the 2010-2011 monitoring calendar.

According to PRDE, the Special Education Office or ASSE monitors its ARRA IDEA funds through its
regular IDEA monitoring procedures and is planning on leveraging the OFA’s system of fiscal monitoring
through the creation of a Fiscal Monitoring Unit (FMU), administered by PRDE’s Finance Division.
ASSE will develop IDEA fiscal monitoring policies and procedures to be implemented by the FMU, or
another unit responsible for monitoring IDEA funds. In the interim, the Finance Department is
responsible for calculating and monitoring IDEA fiscal requirements, including maintenance of effort.
PRDE added that it will ensure the RMU is properly trained to effectively monitor the use of ARRA
funds and revise its Title I and IDEA monitoring guides to include monitoring the use of ARRA funds in
compliance with Federal requirements.

In accordance with the draft’s recommendation, PRDE stated that it is in the process of properly staffing
and training the FMU and the RMU to effectively monitor the use of ARRA funds. PRDE added that it
will conduct a needs assessment to determine how many employees are necessary for each of the
monitoring units. According to PRDE, until the RMU is properly staffed, MU-OFA will continue to
assist the RMU with its monitoring schedule and that OFA will train members of the RMU when the
manual is finally approved.

OIG Response

In response to the Governor’s Office and PRDE’s comments and additional documentation submitted, we
revised the finding to better reflect the requirements of 34 C.F.R. § 80.40(a) that requires States to
monitor subgrantees to ensure compliance with applicable Federal requirements.

The first monitoring plan and tool provided for our review by the Governor’s Office did not include key
steps necessary to ensure compliance with ARRA requirements. The Governor’s Office provided a
revised monitoring plan and stated that it had been revised based on the Department’s Monitoring Plan for
the SFSF issued in February 2010. Although the revised plan and tool includes steps that would be
necessary to ensure ARRA compliance, a monitoring plan and tool should be flexible enough to allow for
modifications based on issues identified during use. Therefore, we encourage the Governor’s Office to
continue strengthening its monitoring plan and procedures as it monitors its subgrantees for compliance.

PRDE acknowledged that it monitored Title I and IDEA ARRA funds using its regular Title I and IDEA
monitoring procedures. However, these monitoring procedures did not include the reporting requirements
needed under Section 1512 of ARRA for transparency and accountability. As such, we maintain that
PRDE’s monitoring plans and guides should be revised to ensure that the use of ARRA funds is
adequately monitored and reported. Regarding the ASSE’s monitoring guides, PRDE stated that it would
be developing fiscal policies and procedures to ensure fiscal aspects of the IDEA program are monitored,
including compliance with the MOE and allowability of costs. However, we maintain that PRDE’s ASSE
should revise its IDEA program monitoring guides to include ARRA provisions.
Audit Report
ED-OIG / A04K0001                                                                                            Page 12 of 28

FINDING NO. 3 – PRDE Is Not Effectively Monitoring the Procurement Process

PRDE had not fully established a monitoring unit or developed a monitoring plan and/or guidance to
effectively monitor Purchasing Officers and the current and past performances of vendors. Additionally,
PRDE had not reviewed its procurement procedures to ensure procurement processes funded under
ARRA are conducted in accordance with the requirements governing ARRA.

In November 2007, the former PRDE Secretary issued a memorandum establishing the new structure for
PRDE’s Procurement Office. The purpose of the memorandum was to ensure a more efficient use of the
assigned funds and to provide for improvements to strengthen PRDE’s procurement process. As part of
the effort, PRDE implemented the current financial system known as SIFDE to automate the procurement
processes. In addition, PRDE established a new functional structure in the memorandum known as the
Central Procurement Office (CPO). The proposed CPO included three components – the Acquisition
Unit, the Contract Unit, and the Monitoring Unit. PRDE’s CPO is responsible for establishing monitoring
programs and processes to monitor Purchasing Officers and the performance of vendors to identify
internal control weaknesses and administrative deficiencies.

PRDE’s efforts in establishing the Monitoring Unit have not been sufficient to comply with the November
2007 memorandum nor its procurement policies and procedures. As of January 2010, more than 2 years
after the memorandum was issued, we found that the Monitoring Unit component of the CPO had not
been fully staffed. We also found that PRDE had not developed a monitoring plan nor had it developed
guides to monitor Purchasing Officers and vendors. Further, PRDE had not revised its procurement
procedures to ensure that procurement processes funded under ARRA were conducted in accordance with
the requirements governing ARRA.

In January 2010, a consultant from one of PRDE’s consulting firms 16 was assigned to the Monitoring Unit
to perform follow-up functions on vendors who had not submitted quotes requested by Purchasing
Officers during the acquisition process, in addition to monitoring the quality of goods received and related
complaints. However, the consultant’s functions were not yet aligned with the main objectives of the
Monitoring Unit. Also, as of September 8, 2010, the consultant was no longer working at the Monitoring
Unit and PRDE had not yet assigned any staff to perform the functions previously delegated to the
consultant. According to PRDE officials, they were in the process of evaluating the options 17 to fully
establish the Monitoring Unit. Without proper guidelines and sufficient staff, PRDE’s efforts in
maintaining an adequate level of monitoring over the Purchasing Officers and the performance of vendors
could be affected.

Article 81 of PRDE’s Procurement Policies and Procedures 18 delegated Purchasing Officers the task of
providing follow-up support to the payment process to avoid unnecessary delays. However, based on
information provided by the Purchasing Officers, they had the responsibility for obtaining vendors’
invoices and following up on the supporting documentation needed to prepare hard copy packages for
each purchase order to send to the Accounts Payable (AP) Division. The task delegated to the Purchasing
Officers could conflict with their duties because routine contact with outside vendors during both the

16
   RMSROC & Company, Certified Public Accountants & Consultants were contracted to help in the implementation of
PRDE’s financial system, especially with the procurement module.
17
   Specifically, PRDE is evaluating a contractor’s proposal to perform the monitoring functions, as well as, another option to
use PRDE’s staff to perform the monitoring functions.
18
   Dated October 5, 2005, as amended on August 6, 2008, to include the creation and responsibilities of the new CPO among
other amendments.
Audit Report
ED-OIG / A04K0001                                                                                 Page 13 of 28

procurement and the payment processes is inherent in these positions. As such, Purchasing Officers are at
increased risk of potentially receiving inappropriate pressures from outside vendors to expedite their
corresponding payments over the payments of other vendors. In addition, the added task to gather
vendors’ invoices and to follow up on supporting documentation, if not performed expeditiously, could
result in the delay of payments to vendors. The potential conflict of interest situation was also identified
by PRDE’s Internal Audit Division in the 2007 Compliance Agreement Quarterly Progress Report for the
period ended December 2009.

Title 34 C.F.R. § 80.40(a) states that
       Grantees are responsible for managing the day-to-day operations of grant and subgrant supported
       activities. Grantees must monitor grant and subgrant supported activities to assure compliance
       with applicable Federal requirements and that performance goals are being achieved. Grantee
       monitoring must cover each program, function or activity.”

In addition, Article 19, section 19.11 of PRDE’s Procurement Policies and Procedures26 establishes as a
responsibility of the CPO the implementation of monitoring programs and processes to monitor
Purchasing Officers and vendors. The objective is to identify lack of adequate internal controls and
administrative deficiencies.

According to 34 C.F.R. § 76.702,
       [a] State and a sub-grantee shall use fiscal control and fund accounting procedures that insure
       proper disbursement of and accounting for Federal funds.

PRDE has not sufficiently complied with internal mandates for monitoring its procurement process. The
lack of progress in establishing a Monitoring Unit with adequate monitoring guides prevents PRDE from
effectively monitoring its Purchasing Officers and vendors. As a result, PRDE could fail to identify
potential internal control weaknesses in its procurement process putting at risk funds used to procure
services. In addition, the added task for Purchasing Officers to obtain vendors’ invoices and to follow up
on supporting documentation represents a potential conflict of interest. Specifically, the Purchasing
Officers obtain all vendors’ invoices and required supporting documentation in addition to fulfilling their
duties as Purchasing Officers. The combination of duties assigned to Purchasing Officers does not allow
for adequate segregation of duties, which could, at a minimum, delay payments, or worse, result in
fraudulent payments.

Recommendations

We recommend that the Assistant Secretary for OESE in coordination with the Assistant Secretary for
OSERS require PRDE to—

3.1   Adequately administer Federal funds, including ARRA funding, by providing staff who have
      appropriate training to CPO’s Monitoring Unit to effectively monitor Purchasing Officers and
      vendors’ performance;

3.2   Develop a monitoring plan and guides to effectively conduct monitoring of Purchasing Officers and
      vendors’ performance; and
Audit Report
ED-OIG / A04K0001                                                                        Page 14 of 28

3.3   Revise procurement procedures to ensure that procurement processes funded under ARRA are
      conducted in accordance with the requirements governing ARRA.

PRDE Comments
PRDE disagreed in part with the preliminary report’s recommendations regarding the monitoring of its
procurement process. PRDE stated that it is committed to ensuring that its CPO effectively monitors the
performance of Purchasing Officers and vendors and is in the process of establishing and staffing the
proposed CPO Monitoring Unit. According to PRDE, a staffing level of three will satisfy this unit’s
needs. PRDE expects to contract these responsibilities out until it is able to create and hire the new
positions.

PRDE stated that, although the proposed CPO Monitoring Unit has not yet been established and staffed,
the CPO implemented an interim approach to handling its proposed responsibilities. Specifically, the
CPO regularly monitors the workflow quantity and status of requisitions, delivery orders, and purchase
orders, as well as the cumulative dollar amounts by purchasing category.

According to PRDE, the CPO is structured to ensure two levels of review of Purchasing Officer work.
First, CPO Supervisors, located at both the central and regional levels, review all work completed by the
Purchasing Officers. Second, the CPO Director spot-checks Purchasing Officer work already reviewed
by the Supervisors. PRDE added that the CPO has monitoring procedures in place, which PRDE is
scheduled to review and revise, as appropriate. PRDE stated that it will review its procedures to ensure
procurement processes funded under ARRA are conducted in accordance with the requirements governing
ARRA. If any necessary changes or additions are identified, PRDE will revise its procedures accordingly.

PRDE stated that it has completed a review of its policy regarding the handling of invoices by Purchasing
Officers and has determined that those procedures maintain an adequate segregation of duties. PRDE
maintained that the preliminary report’s description of Article 81 of PRDE’s Procurement Policies and
Procedures misstates the role of the Purchasing Officers with regard to the receipt of invoices. Although
Article 81 assigns Purchase Officers the task of providing follow-up support to the payment process to
avoid unnecessary delays, Purchasing Officers are not responsible for obtaining vendors’ invoices or
preparing hard copy packages for each purchase order to send to the AP Division. According to PRDE,
the AP Division is charged with receiving invoices and supporting documentation. For services, the
invoices and supporting documentation are first received at the specific office contracted to receive the
services. The invoices are reviewed, certified, and then forwarded to the AP Division. For goods, the
invoices go directly to the AP Division from the vendor. The AP Division is responsible for notifying
Hacienda to issue payment.

In response to the PRDE Internal Audit Report on the 2007 Compliance Agreement Quarterly Progress
Report for the period ended December 2009, PRDE’s CPO Director issued a letter dated January 14,
2010, clarifying the process and reinforcing the proper roles of the Purchasing Officers and the AP
Division with regard to the receipt and review of invoices to ensure segregation of duties.

OIG Response

Although the CPO has monitoring procedures in place, the CPO’s Monitoring Unit is part of the structure
proposed by PRDE in its November 2007 memorandum and should be established accordingly. Although
Audit Report
ED-OIG / A04K0001                                                                                       Page 15 of 28

PRDE’s procurement procedures apply for all procurement activities, regardless of funding source,
ARRA has specific requirements regarding procurement processes. Section 1554 requires that to the
extent possible, contracts funded under the ARRA should be awarded as fixed price contracts through the
use of competitive procedures. A summary of any contract not awarded as fixed price through the use of
competitive procedures is required to be posted in a special section of the website established in
accordance with section 1526 of ARRA. 19 As such, PRDE should revise its procurement procedures
accordingly.

Regarding the task of gathering vendors’ invoices, PRDE is correct that Article 81 of PRDE’s
Procurement Policies and Procedures delegated Purchasing Officers the task of providing follow-up
support to the payment process to avoid unnecessary delays and does not require them to prepare hard
copy packages for each purchase order to send to AP Division. However, even though not required by
Article 81, according to the Purchasing Officers, they were preparing hard copy packages for each
purchase order. The task of gathering such documentation could conflict with their duties because routine
contact with outside vendors is inherent in the position and outside vendors could exert pressure on
Purchasing Officers to expedite their payments.

The potential conflict of interest situation was also identified by PRDE’s Internal Audit Division in the
2007 Compliance Agreement Quarterly Progress Report for the period ended December 2009 and PRDE
stated that the CPO Director had issued a letter clarifying the process and reinforcing the proper roles of
the Purchasing Officers and the AP Division. The letter is dated January 14, 2010, with an effective date
of March 1, 2010. At the time of our review, in January 2010, Purchasing Officers were still obtaining
vendors’ invoices. However, based on the guidance issued by the CPO Director clarifying the roles of the
Purchasing Offices and the AP Division, we deleted from this audit report the preliminary draft report’s
recommendation related to the review of PRDE’s policy regarding the handling of invoices by Purchasing
Officers.

FINDING NO. 4 – Lack of Documentation to Support IDEA ARRA Fund Procurement and
Compliance with Section 1554 of ARRA

PRDE made payments with IDEA ARRA funds without sufficient documentation to support that funds
were used as intended and in compliance with ARRA requirements. Specifically, PRDE paid $2,051,000
with IDEA ARRA funds for the purchase of an information technology system known as SEASweb or
Special Education Automation Software and did not provide a contract related to the procurement. As
such, PRDE provided no evidence to support that services were rendered in accordance with any
agreement between PRDE and Computer Automation and that a reasonable price was obtained based on a
competitive process in compliance with Section 1554 of ARRA. Section 1554 requires that to the extent
possible, contracts funded under ARRA should be awarded as fixed price contracts through the use of
competitive procedures. A summary of any contract not awarded as fixed-price through the use of
competitive procedures is required to be posted in a special section of the Web site.

In 2006, PRDE acquired SEASweb through an agreement with the Society of Education and
Rehabilitation (SER) 20 of Puerto Rico. The implementation was initially overseen by SER of Puerto Rico
and subsequently taken over by PRDE. The system consisted of a special education management solution

19
   Section 1526 of ARRA required the Recovery Accountability and Transparency Board to create and maintain a website to
give user-friendly tools to the public to track how and where the ARRA funds are spent.
20
   SER is a not-for-profit organization that provides therapy and educational services to individuals with disabilities.
Audit Report
ED-OIG / A04K0001                                                                                        Page 16 of 28

that would help PRDE manage the data 21 of all special education students in Puerto Rico. On March 4,
2010, PRDE’s ASSE allocated $4.6 million 22 to pay for a February 2010 invoice submitted by Computer
Automation for the SEASweb annual license. The invoice referenced a proposal called SEAS Education
Plans – Product and Services Proposal, dated December 16, 2009. However, PRDE paid $2,051,000 to
Computer Automation instead of the $4.6 million originally allocated. PRDE officials stated that the
proposal, for which the $4.6 million invoice had been submitted, was not accepted. Because PRDE
determined that it did not require the additional services Computer Automation was offering as a package,
in addition to the annual software license, it purchased only the annual software license for $2,051,000. 23

PRDE stated that the cost of the annual license was established based on Computer Automation’s price
sheet; however, the price sheet provided by PRDE in response to the finding was dated June 7, 2006,
while the invoice referenced to the proposal was dated December 16, 2009. Therefore, we could not
determine if payments made to Computer Automation were correct, reasonable, and/or justified.

Despite several requests for the information, PRDE was unable to provide us with a copy of the contract
between PRDE and Computer Automation and/or the approved proposal cited in the invoice.
Subsequently, we obtained a copy of the proposal, but PRDE officials could not confirm whether the
proposal had been approved nor could it provide any other form of documentation or contracts to support
the software license agreement between PRDE and Computer Automation.
Section 1554 Special Contracting Provisions of ARRA states that
        To the maximum extent possible, contracts funded under this Act shall be awarded as fixed-price contracts
        through the use of competitive procedures. A summary of any contract awarded with such funds that is not
        fixed-price and not awarded using competitive procedures shall be posted in a special section of the website
        established in section 1526.

Also, 34 C.F.R. § 75.730 states that
        A grantee shall keep records that fully show... (b) How the grantee uses the funds; (c) The total
        cost of the project... (e) Other records to facilitate an effective audit.

In addition, 34 C.F.R. § 80.20(a) states that
        …Fiscal control… must be sufficient to: (2) Permit the tracing of funds to a level of expenditures
        adequate to establish that such funds have not been used in violation of the restrictions and
        prohibitions of applicable statutes.

Further 34 C.F.R. § 76.702, a State should use fiscal control and fund accounting procedures that ensure
proper disbursement of and accounting for Federal funds.

PRDE did not provide documentation to adequately support that services were rendered in accordance
with any agreement between PRDE and Computer Automation, and that a reasonable price was obtained
based on a competitive process in compliance with Section 1554 of ARRA. Therefore, we were not able
to determine whether payments were in compliance with requirements governing ARRA. Without
adequate documentation and fiscal controls in place to document and support payments for expenditures
21
   Students’ personal information, appointments, evaluations, eligibility and other data.
22
   On February 25, 2010, Computer Automation billed PRDE $4,662,000 for the annual license of the SEASweb software.
23
   A second invoice in the amount of $2,051,000 was resubmitted on February 25, 2010, the same day the $4.6 million invoice
was submitted.
Audit Report
ED-OIG / A04K0001                                                                         Page 17 of 28

incurred, there is an increased risk that Federal funds, including ARRA funds, will not be administered
properly and that payments could be made for unallowable services. In addition, without written
agreements, there is no assurance that services were provided in accordance with grant objectives.

Recommendations

We recommend that the Assistant Secretary for OSERS require PRDE to—

4.1   Provide evidence that services were reasonable, justified, and rendered in accordance with an
      agreement established with Computer Automation to support the $2,051,000 in payments or return
      the funds to the Department; and

4.2   Provide evidence of compliance with Section 1554 of ARRA, including documents supporting the
      type of procurement process conducted, and the approved contract and/or proposal establishing
      agreements for the recurring procurements of the SEASweb software license.

PRDE Comments

PRDE stated that it has supporting documentation for the procurement process resulting in the purchase of
the annual software license from Computer Automation as well as documentation for the $2,051,000 in
payments made, including evidence that services were rendered in accordance with the agreement
between Computer Automation and PRDE.

According to PRDE, Computer Automation is the owner of the SEASweb software, which PRDE uses for
maintaining its special education data. To use this software, PRDE must purchase an annual software
license from Computer Automation each year. The audit report cites an invoice and accompanying
proposal that were submitted by Computer Automation to PRDE totaling $4.6 million; however, PRDE
never accepted this proposal nor entered into a contract with Computer Automation for the services
detailed in that proposal. According to PRDE, it did not require the additional services Computer
Automation was offering as a package in addition to the annual software license in said proposal.
Accordingly, PRDE proceeded through the procurement process to purchase the annual software license
for $2,051,000 and no additional goods or services were acquired.

PRDE stated that the cost of the annual license was established based on Computer Automation’s price
sheet. PRDE’s student count in SEASweb for 2009 was 121,339. The cost of the annual license is based
on a usage fee of $16 per student. Accordingly, the 2009 usage fee was $1,941,424 (121,339 x $16).
PRDE also elected to purchase the SEASweb software annual maintenance plan for an additional fee of
$187,500. The total of the annual maintenance and the usage fee was $2,128,924. PRDE received a
discount of $77,924 for its purchase of the annual maintenance plan. Thus, the adjusted total cost of the
SEASweb annual license and maintenance was $2,051,000. PRDE paid Computer Automation’s invoice
in two installments – $594,790 paid on March 25, 2010, and $1,456,210 paid on March 19, 2010.

OIG Response

Based on PRDE’s comments and the additional payment documentation, we slightly modified the finding
to consider its explanation for not accepting the $4.6 million proposal and to exclude the statement that
PRDE had provided partial documentation showing a payment in the amount of $594,790. PRDE
provided additional documentation showing payments in the amount of $2,051,000. We also modified
Audit Report
ED-OIG / A04K0001                                                                          Page 18 of 28

Recommendation 6.2 in our preliminary audit report (currently Recommendation 4.1) and added
Recommendation 4.2, requiring evidence of compliance with Section 1554 of ARRA, including
documents supporting the type of procurement process conducted, and the approved contract and/or
proposal establishing agreements for the recurring procurements of the SEASweb software license.

Although PRDE stated that it has supporting documentation of the procurement process resulting in the
purchase of the annual software license from Computer Automation, it only provided an email dated
October 18, 2010, as support. The e-mail from the President and CEO of Computer Automation briefly
discussed the discount provided to PRDE for the 2009-2010 SEASweb annual license cost, an outdated
pricing proposal components sheet dated June 7, 2006, and the evidence of payments made to Computer
Automation. It does not provide support of PRDE’s agreements with Computer Automation and its
compliance with Section 1554. PRDE did not provide sufficient documentation to support that services
were rendered in accordance with an agreement between PRDE and Computer Automation and that a
reasonable price was obtained based on a competitive process in compliance with Section 1554.

FINDING NO. 5 – Insufficient Internal Controls for Safeguarding Information

PRDE and the Governor’s Office, including PRIFA, had not established sufficient internal controls for
safeguarding information, including developing, approving, and updating information system security
policies and procedures. Specifically, PRDE, the Governor’s Office, and/or PRIFA lacked policies and
procedures to –
   •   ensure proper password and account management;

   •   reflect changes to their information systems and protect information against the latest security
       threats; and

   •   protect the physical access to its information system distribution and transmission lines.

Insufficient IT Policies and Procedures for Password and Account Management

PRDE had not updated its information system security policies and procedures to ensure proper password
and account management. Although PRDE had established policies and procedures through Circular
Letter 4-2008-2009, dated July 22, 2008, it did not adequately address proper password and account
management. Specifically, PRDE was not enforcing the use of secure passwords throughout the
organization and did not properly assign account rights and permissions. Additionally, we found that
PRIFA had not established procedures to enforce the use of secure passwords throughout the
organization.

According to information system assessments, which were performed by an external contractor in October
and November 2009, PRDE’s password policy did not provide controls for defining and enforcing an
adequate password-based authentication system. As a result, the passwords used could be easily
decrypted. In addition, the external assessment reported that PRDE had improperly delegated rights and
permissions to its information systems to contractors and users, which put the information at risk.
Although our review did not cover transactions performed by contractors and users to determine whether
access had been improperly used, the delegated rights and permissions, which were provided to
contractors and users, allowed them to potentially change most of the configuration aspects.
Audit Report
ED-OIG / A04K0001                                                                                        Page 19 of 28


Further, PRDE had not reviewed and updated its security policies and procedures to ensure that proper
password and account rights and permissions were assigned according to the employees’ functions and
responsibilities. PRDE Information System officials stated that the issues addressed in those assessments
had been communicated to PRDE’s management and it had corrected the issue of inadequate rights and
permissions. However, its administration, from the Secretary on down including the Information System
Division, had been constantly changing; therefore, PRDE needs to ensure effective security policies and
procedures are updated to provide business continuity regardless of changes in personnel and to avoid the
risk of compromising the agency’s information. Without adequate security policies and procedures, the
data may be compromised both from within and outside the agency, potentially affecting the reliability of
the information reported, including the nearly $1 billion in ARRA educational funds 24 awarded to PRDE.

Insufficient Internal Controls for Safeguarding Information and Addressing Current Security
Threats

The Governor’s Office and PRIFA had not developed and approved information system security policies
and procedures to reflect changes to their information systems and to take into consideration the latest
security threats. As a result, the Governor’s Office and PRIFA lacked sufficient internal controls for
safeguarding its information against unauthorized access.

An information system assessment of controls conducted in PRIFA as part of its financial audit for the
year ended June 2009 identified a series of control deficiencies that could jeopardize the security of the
agency’s information, including its financial data 25 and ARRA data. Specifically, the assessment reported
that PRIFA did not –
     •   Document a formal policy regarding standard or minimum password criteria, including minimum
         length, complexity requirements, expiration intervals, and account lockout for operating systems
         and databases;
     •   Establish a formal policy or procedure for system and application owners to review the nature and
         extent of user access privileges to ensure that those privileges were pertinent to the user’s
         functions;
     •   Document and test application software upgrades in a separate test environment instead of directly
         in the production environment;
     •   Perform formal information system risk assessments to determine what information resources
         exist that require protection and to understand and document potential risks from information
         system security failures that may cause loss of information confidentiality, integrity, and/or
         availability;
     •   Implement adequate environmental controls, such as fire detectors and suppression systems; 26 and
     •   Establish or develop a formal, documented set of policies, procedures, standards, and guidance
         regarding management and administration of information security and operations and change
         control for applications, databases, networks, and operating systems.

24
   PRDE was awarded the following ARRA funds – $522,904,561 in Elementary and Secondary Education funds;
$117,449,619 in Special Education; and $359,301,996 in SFSF received from the Governor’s Office.
25
   The financial data included invoice processing, payment processing, and budget, among other related processes.
26
   Although a sprinkler system was maintained inside the room, other fire suppression mechanisms were not present.
Audit Report
ED-OIG / A04K0001                                                                                          Page 20 of 28


Although the Governor’s Office was in the process of developing a set of security policies and procedures
as of October 18, 2010, the policies and procedures had not been completed. PRIFA had also developed a
set of security policies and procedures; 27 however, they were still in draft and had not yet been approved.
On August 6, 2010, PRIFA stated that it had performed a preliminary evaluation of its information system
policies and procedures and was developing a plan to address the deficiencies found during our review.
Additionally, we found that PRIFA did not have a Continuity of Operations Plan (COOP) to include an
alternate site with the backup equipment necessary to continue operations if an emergency occurred and
the primary equipment stopped working. Further, PRIFA relied on backups that had not been fully tested
to confirm that all the information was being backed up to ensure the continuation of operations. As a
result, the agency’s operation was at risk in the event of a disaster.

The U.S. Department of Commerce National Institute of Standards and Technology Special Publication
800-53, revision 3, provides guidance for organizations to establish the necessary controls
        to comply with security requirements defined by applicable Federal laws, Executive Orders,
        directives, policies, standards, or regulations (e.g., Federal Information Security Management
        Act, OMB Circular A-130). State, local, and tribal governments, as well as private sector
        organizations are encouraged to consider using these guidelines, as appropriate.

In addition, the Government of Puerto Rico established Law 151, known as “Ley de Gobierno
Electrónico,” 28 which provides the Puerto Rico OMB with the authority to issue general directives to use
adequate security controls that can guarantee the confidentiality, integrity, and availability of data to
include security policies and procedures.

Insufficient Internal Controls for Protecting the Physical Access to Information System
Distribution and Transmission Lines at the Governor’s Office

The Governor's Office was not adequately protecting the physical access to its information system
distribution and transmission lines. We found exposed distribution and transmission lines 29 in all the
areas visited posing a risk to the security of the information as well as the security of the personnel
adjacent to those areas. Additionally, we found that the exposed distribution and transmission lines had
previously caused loss of connectivity which disrupted operations. The Governor’s Office needs to
strengthen the physical access to its information system distribution and transmission lines to provide a
reasonable level of assurance that the information within its facilities and systems is secured.

As stated in the previous section, the U.S. Department of Commerce National Institute of Standards and
Technology Special Publication 800-53, revision 3, provides guidance for organizations to establish the
necessary controls to comply with Federal security controls. The Publication’s Appendix F-PE-4 states
that
        physical protections applied to information system distribution and transmission lines help prevent
        accidental damage, disruption, and physical tampering. Additionally, physical protections are
        necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions.

27
   The security policies and procedures were revised on October 7, 2009, but approval was still pending as of October 18, 2010.
However, PRIFA expects to have the security policies and procedures in place by December 31, 2010.
28
   Electronic Government Law, dated June 22, 2004.
29
   Distribution and transmission lines may include cables, fiber optics, and satellite among other available means of
communications; however, this finding refers to local area network cables.
Audit Report
ED-OIG / A04K0001                                                                               Page 21 of 28

       Protective measures to control physical access to information system distribution and transmission
       lines include: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii)
       protection of cabling by conduit or cable trays.

Effective security policies and procedures minimize the risk of compromises to the agency’s information
and demonstrate due diligence to the individuals served. Also, physical protections applied to
information system distribution and transmission lines help prevent accidental damage, disruption, and
physical tampering. Without adequate security policies and procedures the data may be compromised
both from within and outside the agency, potentially affecting the data reliability of the information
reported. This information includes $1.3 billion in education-related ARRA funds that the Government of
Puerto Rico received, which includes the $86.8 million in ARRA SFSF funds awarded to PRIFA by the
Governor’s Office. The ultimate objective is to implement information systems that are dependable in the
face of threats.

Recommendations

We recommend that the Assistant Secretary for the Office of Elementary and Secondary Education
(OESE) in coordination with the Assistant Secretary for the Office of Special Education and
Rehabilitative Services (OSERS) require—

5.1   PRDE to update its information system security policies and procedures to enforce the use of secure
      passwords throughout the agency and to conduct periodic audits to ensure users have the correct
      level of access;

5.2   The Governor’s Office to ensure PRIFA enforces the use of secure passwords throughout the
      agency;

5.3   PRDE and the Governor’s Office, including PRIFA, to ensure that they develop a schedule for
      periodically updating their information systems security policies and procedures;

5.4   The Governor’s Office and PRIFA to ensure that information system security policies and
      procedures are approved and that they incorporate information addressing the latest security threats
      to protect the agency’s information, including ARRA data;

5.5   The Governor’s Office to ensure that PRIFA evaluates the findings and recommendations made
      during the information system assessment and implement corrective actions as appropriate;

5.6   The Governor’s Office to instruct PRIFA to conduct an information system risk assessment to
      determine how the agency will continue its operations when an emergency occurs and establish
      appropriate measures such as a COOP; and

5.7   The Governor’s Office to ensure that physical access to distribution and transmission lines is
      strengthened to help prevent accidental damage, disruption, and physical tampering.

Governor’s Office Comments

Although the Governor’s Office disagreed with our findings and recommendations, it stated that it is in
the process of developing and approving information system security policies and procedures taking into
Audit Report
ED-OIG / A04K0001                                                                           Page 22 of 28

consideration the latest security threats and changes in information systems. According to its response,
the procedures are expected to be completed and approved by December 31, 2010. The Governor’s
Office added that it is in the process of identifying funding for protecting exposed information system
distribution and transmission lines.

The Governor’s Office also stated that, as a result of its preliminary evaluation of its information system
policies and procedures, PRIFA developed a plan to correct the deficiencies in its internal controls for
safeguarding information.

The Governor’s Office added that it will instruct PRIFA to develop a schedule for periodically updating
its information system security policies and procedures, and require PRIFA to conduct an information
system risk assessment to determine how the agency will continue its operations in the event of an
emergency. In addition, the Governor’s Office stated that it will ensure PRIFA approves its information
system security policies and procedures; incorporates information addressing the latest security threats to
protect the agency’s information, including ARRA data; and evaluates the findings and implements the
recommendations made during the information system assessment, as appropriate.

PRDE Comments

PRDE disagreed with the finding that internal controls had not been established for developing,
approving, and updating information system security policies and procedures. PRDE stated that it has
established appropriate internal controls related to its information system security policies and procedures,
including policies to ensure proper password and account management.

According to PRDE’s response, it has information systems policies and procedures that outline the
process to provide secure passwords throughout the organization, and assign account rights and
permissions to the employees. PRDE stated that currently personnel from the Human Resources
Department and the Information Systems Office are meeting on a weekly basis to cross-reference
employee transfers and to monitor the appropriate password changes and access to information. PRDE
added that it is in the process of updating its information systems new account procedures through
implementation of “Oracle Identity Management and Access Management,” which will provide the
necessary tools to efficiently manage access protocols for PRDE’s systems.

OIG Response

At the time of our review, the Governor’s Office and PRIFA did not have information system policies and
procedures in place for safeguarding information against unauthorized access. Although in its overall
response to the preliminary audit report the Governor’s Office did not agree with the findings and
recommendations, its response to the finding acknowledged weaknesses in safeguarding information and
addressing current security threats at the Governor’s Office and PRIFA and included the corrective
measures implemented to protect the information systems against unauthorized access.

In its response, PRDE stated that it currently has information system policies and procedures that outline
the process to provide secure passwords throughout the organization and assign accounts rights and
permissions. At the time of our review, PRDE’s information system security policies and procedures,
established through Circular Letter 4-2008-2009, did not adequately address proper password and account
management. Specifically, we found that PRDE had not enforced the use of secure passwords throughout
the organization for its local area network. PRDE did not properly assign account rights and permissions,
Audit Report
ED-OIG / A04K0001                                                                                       Page 23 of 28

and improperly delegated rights and permissions to its information systems to contractors and users
putting the information at risk. Although PRDE Information System officials stated that the issues related
to the inadequate rights and permissions had been corrected, PRDE should continue conducting periodic
audits to ensure that users have the correct level of access.

PRDE added that it is updating its information systems new account procedures through the
implementation of “Oracle Identity Management and Access Management,” which will provide the
necessary tools to efficiently manage access protocols for PRDE’s systems. We acknowledge that PRDE
has updated its information system policies and procedures to outline the proper workflow approval
process required to request, assign, and approve user accounts; as well as, to deny and inactivate user
accounts.

                                                OTHER MATTERS

Violation of the Davis Bacon Act

A PRDE contractor 30 did not pay nine of its employees the prevailing hourly wage in violation of the
Davis Bacon Act. All Federal contractors are required to comply with the Davis Bacon Act, which
provides wage rates for employees for given types of work. According to the Davis Bacon Act, the
prevailing wage is $7.25 per hour for the type of project 31 included in the contract, but the contractor paid
nine of its employees at the rate 32 of $6.00 and $5.25 per hour. To its credit, through an established
review process, PRIFA discovered the violation.

The specific violation related to a July 6, 2009, PRIFA award of $23 million from its school renovation
grant 33 to the Office for Improvement of Public Schools 34 (OIPS). OIPS is affiliated with PRDE to assist
PRIFA in the renovation of 120 public schools. As a subgrantee of ARRA SFSF, PRIFA used the
reimbursement method to fund its subgrantees and required its subgrantees to submit requests for
reimbursement accompanied by supporting documentation of expenditures. The supporting
documentation was reportedly reviewed for accuracy, compliance, and completeness by PRIFA staff
before funds were disbursed to the subgrantees. During these reviews an accounting official noted that an
invoice submitted by one of the OIPS contractors included supporting payroll documentation. The
payroll documents for the period ending in August 2009 confirmed that payments for nine employees did
not meet the Davis Bacon Act prevailing wage of $7.25 per hour. 35 The documentation submitted showed
payments at the rate of $6.00 and $5.25 per hour instead of $7.25. After being notified of the violation,
the contractor resubmitted its invoice with documentation correcting the payroll issue for three of the nine
employees; however, the contractor stated that the $5.25 rate per hour for the remaining six employees
was the correct rate and, as such, did not adjust the hourly rate for those employees.

PRIFA officials stated that they referred the case to their Legal Division and that the Legal Division
notified the Department of Labor and sought additional guidance. In addition, PRIFA informed the
30
   The contract was awarded for Public School renovation projects.
31
   The type of project was classified as “Building.”
32
   Three employees were paid at a rate of $6.00 per hour and six employees at a rate of $5.25.
33
   On July 2, 2009, the Governor’s Office awarded PRIFA two grants amounting to $86.7 million, one in the amount of $70
million for school renovation projects and the other in the amount of $16.7 million for ARRA implementation costs.
34
   The OIPS is known in Spanish as “Oficina para el Mejoramiento de las Escuelas Públicas” and uses the OMEP acronym.
35
   The prevailing wage of $7.25 is included in General Decision: PR20080001 dated July 31, 2009. General Decisions
establishing the minimum wage were issued by the U.S. Department of Labor for each State and territories.
Audit Report
ED-OIG / A04K0001                                                                                  Page 24 of 28

contractor that the amount retained as part of its contract agreements would not be paid until a final
resolution was reached. As a result of the incident, PRIFA officials issued a memorandum to all affected
officials communicating the requirements of the Davis Bacon Act and its applicability.

On August 6, 2010, we received comments from the Governor’s Office stating that the violation of the
Davis Bacon Act had been completely resolved. In its response, the Governor’s Office stated that
payments were withheld, legal affidavits were required, and corrective measures were imposed by
PRIFA. 36 We commend the Governor’s Office and PRIFA for their immediate actions to address the
noncompliance and suggest continued monitoring of subgrantees and contractors for compliance with the
Davis Bacon Act.

Improvements Needed in Communicating Fraud Reporting Requirements

The Governor’s Office had not appropriately informed subgrantees of the requirements for reporting
suspected cases of fraud to the Department’s Office of Inspector General (OIG). Although the
Governor’s Office and subgrantees signed agreements that included a clause acknowledging that the OIG
may at any time inspect subgrantees’ documents and those of any related contractor, supplier, and vendor
to ensure proper use of ARRA funds, the signed agreements did not include the requirement to report
suspected fraud.

Consistent with OMB Memorandum M-09-15, titled “Updated Implemented Guidance for the American
Recovery and Reinvestment Act of 2009,” the Department included this reporting requirement as a
condition to the SFSF award made to the Governor’s Office, requiring that any cases of suspected fraud
be referred to the Department’s OIG. According to 34 C.F.R. § 80.37(a)(2), grantees are to ensure that
subgrantees are aware of requirements imposed on them by Federal statute and regulation.

The Puerto Rico ARRA Implementation Guidelines 09-02 address the fraud reporting requirement. The
guidelines, developed by PRIFA, are used by the Puerto Rico Government to oversee the administration
of ARRA in Puerto Rico. Contrary to the Federal reporting requirement in the grant conditions, Puerto
Rico’s implementation guidelines state that cases of fraud or misconduct shall be referred to the
Government ARRA Task Force and PRIFA, rather than reported to the Department’s OIG. Without
proper communication of the fraud reporting requirement, there is no assurance that subgrantees will refer
cases of suspected fraud to the Department’s OIG so that fraud and related cases of misconduct can be
properly investigated.

In response to the preliminary audit report, the Governor’s Office provided documentation that the
requirement for reporting suspected cases of fraud to the Department’s OIG was disseminated and
communicated to its subgrantees. Specifically, the Governor’s Office updated a poster that it had
provided to its subgrantees, which contained information about the Recovery Act Fraud Hotline. The
poster was updated in May 2010, to incorporate the OIG’s telephone number in response to our audit
finding. We commend the Governor’s Office for its immediate action to update its poster and, in effect,
address our finding by providing notification to its subgrantees to immediately report any instances of
suspected fraud to the Department’s OIG.



36
  On March 12, 2010, PRIFA submitted a memorandum to the General Manager of the OIPS stating the importance of
complying with the Davis Bacon Act and requested evidence demonstrating compliance.
Audit Report
ED-OIG / A04K0001                                                                        Page 25 of 28

Noncompliance with Cash Management Requirements at the Prime Recipient-Level

As required by the Cash Management Improvement Act of 1990 (CMIA) as amended, the
Commonwealth of Puerto Rico and the U.S. Treasury have a Treasury State Agreement (TSA) that
documents the accepted funding techniques and interest calculations agreed upon by both parties. The
CMIA was enacted to improve the transfer of funds between the Federal government and the States.
However, the ARRA programs were not added into the TSA. The CMIA is intended to address two
primary issues: States drawing down funds before they are needed and Federal agencies providing late
grant awards to States. Based on the intent of the CMIA, the ARRA programs should have been added to
the TSA to help protect Federal and State interests.

The threshold for a covered program in the current TSA between the Commonwealth of Puerto Rico and
the U.S. Treasury is $29,851,405. The threshold in the previous TSA that was in effect from July 1, 2009,
through June 30, 2010, was $26,674,140. Neither of these TSAs specifically lists SFSF, Title I, or IDEA
ARRA funds as programs covered by the agreement. However, as of November 19, 2010, the
Commonwealth of Puerto Rico had available balances for the SFSF, Title I, and IDEA ARRA grants of
$208 million, $124 million, and $77 million, respectively. U.S. Treasury regulations at 31 C.F.R Section
205.7 stipulate that a State is responsible for contacting the U.S. Treasury to amend the TSA within 30
days of a change that would impact the existing TSA, including the addition or deletion of programs.

PRDE’s policies and procedures for calculating and remitting to the Department excess interest earned on
Federal cash advances required interest to be remitted only once a year in accordance with the TSA.
Funds were disbursed by Hacienda, and as such, Hacienda calculated any interest earned that needed to be
returned to the Department and notified PRDE of the amount required to be remitted to the Department
only once a year. Although the Commonwealth of Puerto Rico’s TSA allowed for annual calculation of
interest earned, funds received through ARRA are not included in the TSA. As a result, the
Commonwealth of Puerto Rico must comply with the Education Department General Administrative
Regulations at 34 C.F.R. Sections 80.20(b)(7) and 80.21(i) for ARRA funds. These regulations require
States to maintain proper cash management procedures, including calculating the interest earned on
Federal funds drawn down in advance of need and remitting that interest to the Federal government at
least quarterly. If the ARRA programs are included in the TSA, the Commonwealth of Puerto Rico will
be able to calculate and remit interest for the covered programs annually in accordance with the TSA.

We suggest the Commonwealth of Puerto Rico notify the U.S. Treasury that ARRA programs should be
added to the TSA if the available balance on the grant exceeds the Commonwealth of Puerto Rico’s
threshold for TSA coverage.

Inadequate Controls to Ensure Expenditures Are Paid Before Requesting Reimbursement

Although PRDE required the use of reimbursement procedures for certain expenditures, it did not ensure
that expenditures were paid before requesting reimbursement from the Department. Without adequate
controls in place to ensure costs are paid before requesting funds from the Department, PRDE could
potentially use funds for unallowable expenditures. Although PRDE acknowledged that it may not have
had adequate controls to ensure that ARRA costs were paid before PRDE requested reimbursement from
the Department, it has strengthened its controls to ensure that costs are paid before requesting
reimbursement.
Audit Report
ED-OIG / A04K0001                                                                        Page 26 of 28

                                    SCOPE AND METHODOLOGY

Our review consisted of an assessment of the designed system of internal controls that PRDE and the
Governor’s Office planned to use in administering funds received under ARRA for the Title I, IDEA, and
SFSF programs. For the SFSF program, we reviewed the designed system of internal controls at the
Governor’s Office and the three of its subgrantees that received the highest amount of funds. 37 We
reviewed the controls related to data quality, cash management, subrecipient monitoring, and use of funds.

We reviewed the Governor’s Office cash draw downs as of October 2009, totaling $74.8 million of the
$647.6 million allocated in SFSF; and PRDE’s draw downs as of May 7, 2010, amounting to $180.5
million of the $495.5 million in Title I and IDEA funds allocated. We observed the payment and
accounting processes in place and conducted a limited review of certain ARRA related transactions
processed at the time of our review.

To gain an understanding and assess the designed system of ARRA internal controls that PRDE and the
Governor’s Office planned at the time of our field work, we –
      •   Reviewed PRDE’s Single Audit reports for the years ended June 30, 2007 and June 30, 2008, and
          reports issued by the Comptroller’s Office related to PRDE during the years 2007 and 2008;
      •   Identified ARRA funds allocated to PRDE for Title I and IDEA and the Governor’s Office for the
          SFSF program;
      •   Obtained and reviewed written policies and procedures of PRDE, the Governor’s Office and its
          subgrantees related to data quality, cash management, subrecipient monitoring, and use of ARRA
          funds;
      •   Obtained and reviewed the monitoring instruments of PRDE and the Governor’s Office for the
          Title I, IDEA, and SFSF program;
      •   Obtained and reviewed documentation related to data quality, cash management, subrecipient
          monitoring, and use of funds for Title I, IDEA, and the SFSF program;
      •   Observed payment and accounting processes for ARRA related transactions; and
      •   Interviewed PRDE and Governor’s Office officials regarding controls for data quality, cash
          management, subrecipient monitoring, and use of funds for the Title I, IDEA, and SFSF program.

We conducted our work at PRDE and the Governor’s Office from October 16, 2009, through
June 15, 2010. We discussed the results of our review and recommendations in separate meetings with
PRDE and with the Governor’s Office on July 21, 2010.

We assessed the reliability of computer-processed data by (1) observing the processes used to account for
ARRA related transactions within the financial systems used by PRDE, the Governor’s Office, and the
three subrecipients; (2) reviewing documentation supporting selected drawdowns of ARRA funds; and (3)
reviewing documentation supporting selected payment transactions recorded in PRDE’s financial system
related to the purchase of SEASweb. We determined that the data was sufficiently reliable for the
purposes of this report.


37
     PRDE, PRIFA, and the UPR.
Audit Report
ED-OIG / A04K0001                                                                       Page 27 of 28

We conducted this performance audit in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate
evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We
believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on
our audit objectives.
Audit Report
ED-OIG / A04K0001                                                                                         Page 28 of 28




                            Anyone knowing of fraud, waste, or abuse involving
                              U.S. Department of Education funds or programs
                         should call, write, or e-mail the Office of Inspector General.

                                                 Call toll-free:
                                          The Inspector General Hotline
                                       1-800-MISUSED (1-800-647-8733)

                                                    Or write:
                                            Inspector General Hotline
                                          U.S. Department of Education
                                           Office of Inspector General
                                                550 12th St. S.W.
                                             Washington, DC 20024

                                                   Or e-mail:
                                               oig.hotline@ed.gov

                          Your report may be made anonymously or in confidence.

             For information on identity theft prevention for students and schools, visit the Office of
                                  Inspector General Identity Theft Web site at:
                                               www.ed.gov/misused




                       The Department of Education’s mission is to promote
                 student achievement and preparation for global competitiveness
                  by fostering educational excellence and ensuring equal access.

                                                 www.ed.gov
                                    Enclosure A
                             Governor’s Office Comments



                               Puerto Rico Governor’s Office
                     Response to Draft Audit Report: ED-OIG/A04K0001

                                           Submitted to:
                                        Denise M. Wempe
                                Regional Inspector General for Audit
                                   U.S. Department of Education
                                    Office of Inspector General
                                   61 Forsyth SW, Room 18T71
                                        Atlanta, GA 30303
                                     Denise.Wempe@ed.gov




        The Puerto Rico Governor’s Office (“PRGO”) herein submits its response to the United
States D epartment of E ducation’s O ffice of t he Inspector G eneral D raft A udit R eport ( the
“Draft”) e ntitled Puerto Rico Recovery Act Audit System of Internal Controls over Selected
Funds. T he D raft i ncludes f our findings m ade t o P RGO ( findings 1 -4). F inding 1 alleges
improvements ne eded i n c ommunicating fraud r eporting r equirements, f inding 2 alleges
insufficient c ontrols f or safeguarding i nformation, f inding 3 a lleges i nsufficient c ontrols ove r
cash management, and finding 4 alleges insufficient monitoring to ensure adequate oversight of
ARRA funds.

       PRGO ha s c arefully reviewed t he s pecific do cumentation, pol icies, a nd pr ocedures a t
issue. B ased on t he results of our review to date, PRGO respectfully disagrees with the Draft’s
findings and r equests t hat t he D raft’s f indings and r ecommendations b e r econsidered. E ach
finding is discussed in turn.

Finding No. 1 – Improvements Needed in Communicating Fraud Reporting Requirements

The Draft erroneously alleges that the PRGO has not appropriately informed subgrantees of the
requirements for reporting suspected cases of fraud to the Department’s Office of Inspector
General (USDE-OIG).

The following steps taken provide evidence of the different communication means to disseminate
and communicate among our subgrantees the requirement for reporting suspected cases of fraud
to the USDE-OIG:

    1. On February 2009, PRIFA developed the Puerto Rico ARRA Implementation Guidelines
       09-02 to address the fraud reporting requirement (Enclosure A).

    2. On March 26, 2010 the Office of the Governor disseminated among its subgrantees a
       poster (Enclosure B).
                                                   1
                                    Enclosure A
                             Governor’s Office Comments

   3. On May 19, 2010 an updated poster was disseminated to all subgrantees in which we
      changed the Hotline Phone Number to incorporate the USDE-OIG as recommended
      (Enclosure C).

   As shown above the Office of the Governor has ensured an effective and updated
   communication process in which not only were the subgrantees informed but they were also
   instructed to place the posters in areas of visual access to employees and the public.
   Inclusive, we suggested to the subgrantees to place the poster in the same place of the EEO
   Federal Regulations Posters.

   The above dissemination and communication means to the subgrantees on the requirement of
   reporting suspected fraud was fulfilled. Accordingly, we are in total compliance with 34
   Code of Federal Regulations (CFR) 80.37 (a)(2) “… ensure that subgrantees are aware of
   requirements imposed on them by federal statute and regulation”.

Finding No. 2 – Internal Controls for Safeguarding Information

PRGO i s i n t he pr ocess of de veloping a nd a pproving i nformation s ystem s ecurity pol icies a nd
procedures. T hey will t ake i nto c onsideration t he l atest s ecurity t hreats and c hanges i n t he
information s ystems. PRGO is expecting to have these procedures approved b y December 31,
2010.

On your r ecent r evision of July 21, 2010, you r eferenced unde r t he c riteria: “ The N ational
Institute o f S tandards and T echnology f rom the U.S. Department o f C ommerce, Special
Publication 800 -53, r evision 2.” W e ha ve a ccessed t his doc ument a nd f orwarded i t t o t he
corresponding o ffices f or t heir l ecture and i nput. W e w ill ha ve a f ormal m eeting w ith t he
stakeholders in order to attend these criteria (Enclosure D).

Under this finding, reference is also made to Law 151 known as “Ley de Gobierno Electrónico”
of 2004. Under Article 5 –Functions (3 L.P.R.A. sec. 993) states the following: “(i) Develop the
infrastructure to guarantee effective controls related to security of the information system that
sustain the operations and governmental actives. (m) Project the utility of the information
technologies to prevent accidents and prepare contingency plans that permit the government to
act adequately in cases of crisis for the reestablishment of systems and data in cases of disasters
within the less time possible.” Both of these functions are in alignment with the finding related
to the Government policy on safeguarding the information (Enclosure E).

We have contacted the Office of the Chief Information Officer (CIO) of the Governor’s Office,
who ha s pr ovided us with P ublic Policy nu mber T IG-003 r evised S eptember 12, 2007,
referenced as S ecurity on t he Information S ystems ( Enclosure F ). Also, we are en closing the
most r ecent p resentation of fered b y t he O ffice of t he C IO on R isk Mitigation P lan of t he
Governmental Information (Enclosure G).

In a ddition, i n r esponse t o t his f inding, t he P uerto R ico Infrastructure F inancing A uthority
(PRIFA) has performed a preliminary evaluation concerning its information system policies and

                                                  2
                                    Enclosure A
                             Governor’s Office Comments
procedures a nd i nsufficient i nternal controls f or safeguarding i nformation. A s a result of s uch
evaluation, PRIFA’s staff has developed a plan to correct deficiencies brought to its attention.

    •   Use of st rong pa sswords – PRIFA c irculated a m emo t o a ll pe rsonnel r equiring ne w
        passwords to consist of at least six (6) characters containing no less than three (3) of the
        following: ( i) capital le tters; ( ii) low ercase l etters; ( iii) num bers (0 -9); a nd ( iv) non
        alphabetical c haracters ( e.g., @ #$%). P asswords w ill be r equired t o be changed e very
        sixty (60) days. (Enclosure H).

    •   User Access Privileges – PRIFA will establish a formal policy or procedure for system
        and application owners to review the nature and extent of user access privileges and to
        ensure t hat t hose a ccesses a nd pr ivileges w ere pe rtinent t o t he us ers’ f unctions b y
        December 31, 2010.

    •   Testing and Documenting Software Upgrades – PRIFA acquired a new server to create a
        separate vi rtual e nvironment t o doc ument a nd t est a ny c hanges a nd/or upgrades be fore
        they are applied to the live servers.

    •   Information system’s risk assessments – These tests will be performed to document and
        understand a ny pot ential r isks pr esent i n P RIFA’s i nformation s ystems. T hey will be
        performed before establishing the Continuity of Operations Plan (“COP”).

    •   Adequate E nvironmental C ontrols – PRIFA i s c onsidering i nvesting on a F M-200 f ire
        suppression system. This type of system is specialized for use inside server rooms.

    •   Information s ystem s ecurity pol icies a nd pr ocedures and s ecurity t hreats – PRIFA
        expects to have the information system security policies and procedures and the security
        threats policies and procedures in place by December 31, 2010.

    •   PRIFA currently receives monitoring alerts from the Puerto Rico Office of Management
        and B udget ( “OGP”, b y i ts S panish a cronym), i ncluding ot her m ain a pplications ( e.g.,
        exchange, windows servers, etc.). PRIFA will modify its current incident report policies
        to a lso i nclude ne w t hreats s ecurity p rocedures. P RIFA’s pe rsonnel w ill pe rform t he
        necessary procedures to correct this finding by December 31, 2010.

    •   COP – OIG considers that PRIFA’s COP is not adequate because an alternate site with
        the equi pment n ecessary to cont inue t heir op erations i n case of an em ergency o r
        equipment f ailure doe s not e xist. A s mentioned a bove: ( i) P RIFA i s a cquiring a ne w
        server to create a separate virtual environment to document and test any changes and/or
        upgrades be fore t hey are a pplied t o t he l ive s ervers; a nd ( ii) P RIFA i s c onsidering
        investing on a FM-200 f ire s uppression s ystem. This t ype of s ystem i s s pecialized for
        use inside server rooms. Also, it is worth mentioning that PRIFA has already purchased
        the software that will be necessary for the implementation of the COP.

The PRGO will instruct PRIFA to develop a schedule for periodically updating their information
systems security policies and procedures, and to conduct an information system risk assessment
                                                    3
                                  Enclosure A
                           Governor’s Office Comments
to de termine how t he agency will c ontinue i ts ope rations w hen a n emergency occurs a nd
establish a ppropriate m easures. T he P RGO w ill e nsure P RIFA approves t heir i nformation
system security pol icies a nd pr ocedures a nd i ncorporates i nformation addressing t he l atest
security threats to protect the agency’s information, including ARRA data; and, PRIFA evaluates
the f indings a nd r ecommendations m ade dur ing t he i nformation s ystem a ssessment a nd
implement as appropriate.

Also, PRGO is in the process of identifying funds to finance the cause for protecting information
system distribution and transmission lines.

Finding No. 3 – Insufficient Controls over Cash Management

The D raft i ncorrectly al leges t hat P RGO l acked sufficient cont rols f or t he A RRA pa yment
process, specifically, that the PRGO did not have written procedures for the payment process.

As part of the terms and conditions of the contracts with our subgrantees, the PRGO requires
under Article IV Disbursement Duties, the following:

4.1 SUBGRANTEE hereby agree that the Grant received from the OFFICE will be managed
separately from the rest of SUBGRANTEE’S funds.

4.2 SUBGRANTEE acknowledges that Grant funds will not be disbursed until a draw down
request form (“Draw down FORM”) is completed and delivered to the OFFICE. The Draw
Down Form will provide the OFFICE with the exact amount of the disbursement to be made to
SUBGRANTEE and disbursement will not be authorized without delivery of fully completed
Draw Down Form. A Sample of the Draw Down Form applicable to the Grant is included as
Annex III and may be sent to the OFFICE via email. The OFFICE may turn the Draw Down
Form into a web based process. Upon implementation of a web based draw down process,
SUBGRANTEE shall make all requests in compliance with the procedure established by the
OFFICE.

We have taken a corrective action on implementing strictly the Terms and Conditions of
Contract for Disbursement which must include the intended use of funds and certified by an
authorized official.

PRGO follows PR Treasury Department cash management and payment procedures when
managing SFSF transactions. In addition, PRGO has offered technical assistance through
meetings, online communication, and formal communications to its sub recipients to discuss the
payment procedures and the SFSF-specific draw down flowcharts. As part of the standard
procedure, PRGO always reviews draw down requests to ensure they are appropriate and contain
all required information.

The Monitoring Plan for the State Fiscal Stabilization Fund in Puerto Rico of March 10, 2010;
Part C states the following Draw Down Process:



                                                4
                                  Enclosure A
                           Governor’s Office Comments
   1. Review each draw down request to ensure it incorporates the backup documentation
      specified in the memoranda of understanding, as well as any additional documentation
      required by the PRGO.
   2. Request documentation after draw down that certifies sub-recipient disbursement within
      the specified dates.
   3. Maintain all draw down requests and back up at the PRGO.
   4. Check “Expected Disbursement Schedule” for each sub recipient regularly to detect and
      clarify possible deviance from the plan.

Also, in response to this USDE-OIG Finding, PRGO has implemented a SFSF Draw Down
Request Review Checklist (Enclosure I) and prepared a written procedure detailing the steps
previously contained in the flowcharts (Enclosure J). These documents will be provided to the
USDE-OIG to back up our corrective action plan.

Finding No. 4 – Insufficient Monitoring to Ensure Adequate Oversight of ARRA Funds

The Draft erroneously alleges that PRGO’s monitoring plan and tool lacked key steps necessary
to ensure ARRA compliance.

Upon approval of the State Fiscal Stabilization Fund program on May 2009, the PRGO was
completely aware of the responsibility of developing a Monitoring Plan. As acknowledged on
Finding #1 “ The Governor’s Office developed a monitoring plan and tool to ensure
subrecipient’s compliance with requirements governing Recovery Reinvestment Act (ARRA)
funding and the proper use of funds”…

On the visit of the OIG in October 2009, the Office of the Governor provided the USDE-OIG
Monitoring Team with the preliminary draft of a Monitoring Plan. This draft Monitoring Plan
was later revised after the USDE published on February 2010 their Monitoring Plan for the State
Fiscal Stabilization Fund (SFSF) Program. The intention was to incorporate to our original plan,
all the components that the Grantor will be using to monitor us as grantees. We will use the
same parameters to monitor our subgrantees.

On March 2010, the Office of the Governor submitted to the USDE the final version of the
Monitoring Plan for consideration and approval. This version is pending for approval by the
USDE (Enclosure K). We are confident that the USDE will approve this Monitoring Plan soon.
Nevertheless, we have proceeded to implement the Monitoring Plan with our subrecipient’s to
ensure compliance with the requirements governing the American Recovery Reinvestment Act
(ARRA).




                                               5
                                         Enclosure B
                                       PRDE Comments


                            Puerto Rico Department of Education
                      Response to Draft Audit Report: ED-OIG/A04K0001

                                           Submitted to:
                                        Denise M. Wempe
                                Regional Inspector General for Audit
                                   U.S. Department of Education
                                    Office of Inspector General
                                   61 Forsyth SW, Room 18T71
                                        Atlanta, GA 30303
                                     Denise.Wempe@ed.gov




        The P uerto R ico Department of Education (“PRDE”) herein s ubmits i ts response t o t he
United States Department of Education’s Office of the Inspector General Draft Audit Report (the
“Draft”) e ntitled Puerto Rico Recovery Act Audit System of Internal Controls over Selected
Funds. T he D raft i ncludes f ive f indings against P RDE ( findings 2 -6). F inding 2 a lleges
insufficient c ontrols f or safeguarding i nformation, f inding 3 alleges i nsufficient c ontrols ove r
cash m anagement, finding 4 a lleges i nsufficient m onitoring t o e nsure adequate ove rsight of
ARRA funds, finding 5 alleges ineffective monitoring of the procurement process, and finding 6
alleges lack of documentation to support payments made with IDEA ARRA funds.

        PRDE t akes a llegations of t his na ture ve ry s eriously a nd ha s carefully r eviewed t he
specific documentation, policies, and procedures at issue. B ased on t he results of our review to
date, PRDE respectfully disagrees in part with the Draft’s findings and requests that the Draft’s
findings and recommendations be reconsidered. For recommendations in which PRDE agrees,
PRDE has outlined its corrective action plan. Each finding is discussed in turn.

Finding No. 2 – Internal Controls for Safeguarding Information

          PRDE disagrees with the Draft’s finding that PRDE had not established internal controls
for de veloping, a pproving a nd upd ating i nformation s ystem s ecurity po licies a nd pr ocedures.
Specifically, the D raft s tates t hat P RDE l acked policies and procedures t o ensure pr oper
password and account management. P RDE has established appropriate internal controls related
to i ts i nformation s ystem s ecurity pol icies a nd procedures, i ncluding po licies t o e nsure pr oper
password and account management.

Password and Account Management

        PRDE ha s i nformation s ystems pol icies a nd pr ocedures t hat out line t he pr ocess t o
provide secure passwords throughout the organization and assign account rights and permissions
to the requisite employees. Before an employee is issued a password providing access to secure
modules, the employee’s supervisor must submit the request to the Information Systems Office
                                                    1
                                        Enclosure B
                                      PRDE Comments
for a pproval. O nce a pproved, a pa ssword i s a ssigned. If t he e mployee i s t ransferred, the
previous password is invalidated and the new supervisor must submit a new request for access to
appropriate s ecure m odules. T he Information S ystems O ffice m eets w eekly t o c ross-reference
employee t ransfers with the H uman Resources D epartment and t o m onitor t he a ppropriate
password changes and employee access to information.

        The i nformation s ystems pol icies a nd pr ocedures a lso out line t he pr ocess t o pr ovide
secure pa sswords t o c ontractors t hat r equire a ccess t o c ertain m odules. Generally, contractors
are provided access onl y to those systems or applications that are necessary. However, in very
limited circumstances, there is a le gitimate n eed to provide certain contractors administrative
rights. T his pr actice i s c onstantly be ing r eviewed and c ontrolled. T he Information S ystems
Office addresses this issue in its weekly meeting.

        Several c ontrols a re i n pl ace t o e nsure pr oper s ecurity of P RDE i nformation s ystems.
PRDE cur rently us es t he s ecurity s ystem Oracle A pplications. U sername and password are
required before any employee m ay access s ecure s ystems. A ccess t o transaction entry, view,
posting or adjustment of information is determined b y defined roles and responsibilities within
the applications. Roles and responsibilities are assigned to each user based on the approved tasks
to be performed by the user. There is a minimum length requirement and alphabetical, numerical
and special characters may be used to ensure passwords are not easily decrypted. In addition, all
secure passwords must be changed every three months. Users are automatically logged out as a
result of inactivity. Further, after five minutes of failed attempts to submit the correct password,
the e mployee’s c omputer goes i nto a n a utomatic l ock-down and cannot be unl ocked unt il
verification by the Information Systems Office that the access is allowable.

        PRDE i s i n t he pr ocess of upd ating i ts i nformation s ystems ne w a ccount pr ocedures
through implementation of O racle Identity M anagement and Access M anagement. T hese n ew
security s ystems w ill pr ovide P RDE w ith the ne cessary tool s to efficiently ma nage a ccess
protocols for PRDE’s SIFDE, PCE and Active Directory systems. The new account procedures
will outline the proper workflow approval processes required to request, assign and approve user
accounts, a s w ell a s d eny and i nactivate us er accounts. T he n ew account pr otocols w ill be
implemented in conjunction with the new security systems

        Accordingly, PRDE’s information system security policies and procedures ensure the use
of s ecure p asswords t hroughout t he a gency and ens ure us ers ha ve t he c orrect l evel of acc ess.
The Information S ystems Office regularly monitors use of secure s ystems to ensure users have
the correct level of access. Additionally, PRDE periodically reviews and updates its information
systems policies and procedures to reflect changes to the information systems.

Finding No. 3 – Controls over Cash Management

       PRDE di sagrees w ith the D raft’s f inding tha t P RDE la cked s ufficient controls f or the
ARRA pa yment pr ocess. P RDE c urrently h as c ontrols i n pl ace t o e nsure t hat c osts unde r t he
schoolwide pr ogram a re pa id be fore r equesting r eimbursement f rom t he U .S. D epartment of
Education (ED) and that earned interest is properly calculated and timely returned to ED.

Verifying Payments Before Requesting Reimbursement
                                                   2
                                        Enclosure B
                                      PRDE Comments

        According t o t he D raft, P RDE di d not ha ve a dequate c ontrols t o e nsure A RRA c osts
under s choolwide pr ograms a re pa id be fore P RDE r equests r eimbursement f rom E D. P RDE
acknowledges t hat t his may have be en an i ssue f or a v ery s mall por tion of i ts A RRA costs
related to schoolwide programs. However, PRDE has eliminated this risk by updating its SIFDE
system to allow for daily processing of reimbursement requests based on actual expenditures. As
noted i n t he D raft, PRDE ex perienced some de lays i n its w ork with the ex ternal cont ractor t o
develop t his a utomated s ystem, how ever t he c ontract w as r esumed a nd the c ontractor finished
the new system. Implementation of the new automated system began this week. T esting of the
new s ystem i s e xpected to be f inished b y t he end of O ctober, w ith f ull i mplementation t o be
complete by November 1, 2010.

        Even be fore t he s ystem w as upda ted, how ever, PRDE e nsured t he va st m ajority of t he
costs under schoolwide programs were paid before PRDE requested reimbursement from ED. At
least 90% of t he A RRA c osts r elated t o s choolwide pr ograms w ent t o pa yroll. P ayroll
disbursements g o out on t he 15 th and 30 th of e ach m onth b y di rect de posit. PRDE r equests
reimbursement from E D for s choolwide e xpenditures a t t he end of e ach m onth, a fter P RDE
disburses i ts pa yroll c osts. T herefore, f or at l east 90% of di sbursements, c ontrols e xisted t o
ensure that expenditures were paid before PRDE requested reimbursement.

        For t he remaining 10%, the request f or r eimbursement m ay ha ve come b efore p ayment
had been disbursed, for example, in circumstances where a check issued by PRDE for payment
of a schoolwide expense remained outstanding at the time PRDE requested reimbursement from
ED at the end of the month. H owever, PRDE adequately ensured the funds were used only for
allowable ex penditures be cause o f t he s trong i nternal cont rols i n place. F or ex ample, several
layers of r eviews and a uthorizations b y di fferent of fices a re r equired before f ederal f unds,
including ARRA funds, may be expended. T hus, even if a reimbursement request preceded the
actual e xpenditure, s everal c ontrols ensured t hat t he f unds w ere e xpended i n a ccordance w ith
federal requirements.

       In c onclusion, P RDE ha s e stablished a dequate c ontrols t o e nsure A RRA c osts unde r
schoolwide programs are paid before requesting reimbursement for ARRA drawdowns from ED.

Calculating and Remitting Earned Interest Timely

        The Draft mistakenly asserts that PRDE lacked written policies and procedures to ensure
that ear ned interest i s pr operly c alculated and timely r eturned to ED. PRDE cal culates and
remits interest earned on advances to ED annually, rather than quarterly, in accordance with an
agreement be tween the P uerto Rico Department of T reasury (PR Treasury) a nd t he U .S.
Department of Treasury, Office of Finance Management Service (FMS), included as Attachment
A. E D ha s r outinely allowed s uch a rrangements i n ot her s tates, i ncluding, f or e xample,
California.

       PR Treasury enters into an agreement each year with FMS on behalf of all Puerto Rico
government agencies that allows annual calculation and remittance of interest earned on f ederal
advances. T he pol icies and procedures d escribing t his pr ocess ar e s tated in the ci rcular l etter
issued by the PR Treasury and included as Attachment B.
                                                   3
                                        Enclosure B
                                      PRDE Comments

        Accordingly, P RDE ha s t he r equired pol icies a nd pr ocedures t o c alculate a nd r emit
excess interest earned on federal funds, including ARRA funds, and PRDE in fact calculates and
remits excess interest in a timely manner.

Finding No. 4 – Monitoring to Ensure Adequate Oversight of ARRA Funds

       PRDE di sagrees w ith t he D raft’s f inding t hat P RDE di d not ha ve a s ufficient pl an f or
monitoring its use of ARRA funds to ensure compliance with the requirements governing ARRA
funding. T he Draft states that the program monitoring guides covering Title I and IDEA were
not modified to include Title I and IDEA ARRA funds. Further, the Draft states that PRDE does
not have a sufficient level of adequately trained staff assigned to its monitoring units.

Monitoring Guides

       PRDE currently monitors its ARRA Title I funds according to the Monitoring Procedures
Manual for funds administered at the Office of Federal Affairs (OFA), included as Attachment
C. O FA’s R egional M onitoring U nit ( RMU) monitors A RRA T itle I funds a ccording t o t he
monitoring calendar, which was developed using risk-based analysis, included as Attachment D.
The RMU updated the Monitoring Procedures Manual to ensure that the use of both regular and
ARRA Title I funds are adequately monitored and in compliance with federal requirements. The
revised manual is under review; final approval is expected to be obtained by October 31, 2010.
        PRDE agrees with the Draft’s recommendation that additional staff is needed to assist the
RMU w ith the pr ogrammatic moni toring vi sits. U ntil the a dditional s taff is hi red, the O FA
Monitoring Unit has provided and will continue to provide the necessary assistance to the RMU
in its monitoring activities under the Monitoring Procedures Manual in order to comply with the
2010-2011 monitoring calendar.
        PRDE’s S pecial E ducation O ffice (SAEE) m onitors i ts A RRA IDEA f unds t hrough i ts
regular IDEA monitoring procedures. PRDE agrees with the Draft’s recommendation that SAEE
develop appropriate IDEA fiscal monitoring procedures and assign responsibilities to effectively
monitor the fiscal aspects of the IDEA program. SAEE is planning on leveraging OFA’s system
of fiscal monitoring through the creation of a Fiscal Monitoring Unit, administered by PRDE’s
Finance D ivision. S AEE w ill de velop IDEA f iscal m onitoring pol icies a nd p rocedures t o be
implemented b y t he pr oposed F iscal M onitoring U nit, or t hrough a nother uni t r esponsible f or
monitoring IDEA f unds. In t he i nterim, P RDE’s F inance D epartment i s r esponsible f or
calculating a nd m onitoring IDEA f iscal r equirements, i ncluding, f or e xample, m aintenance of
effort. Further, strong internal controls are in place to adequately ensure all IDEA expenditures,
including A RRA IDEA e xpenditures, c omply with f ederal r equirements. F or ex ample, each
payment r equest m ust go t hrough s everal l ayers of r eview a nd approval f rom di fferent of fices
before the payment is allocated to ARRA or regular IDEA funds.
      Thus, P RDE w ill e nsure t he R MU i s pr operly t rained t o e ffectively m onitor t he us e o f
ARRA funds and revise its Title I and IDEA monitoring guides to include monitoring the use of
ARRA funds in compliance with federal requirements. Further, PRDE will develop IDEA fiscal
monitoring policies and procedures to be implemented by IDEA fiscal monitors to better-ensure
                                                   4
                                         Enclosure B
                                       PRDE Comments
the f iscal as pects of t he IDEA p rogram are m onitored (such as m aintenance of e ffort and
allowability of costs).

Staffing

        In a ccordance with t he Draft’s recommendation, P RDE i s i n t he pr ocess of pr operly
staffing and training the Fiscal Monitoring Unit (FMU) and the RMU to effectively monitor the
use of ARRA funds. PRDE will conduct a needs assessment to determine how many employees
are n ecessary for each of t he m onitoring uni ts. U ntil t he R MU i s pr operly staffed, OFA’s
Monitoring U nit w ill c ontinue to assist the R MU w ith its moni toring s chedule. As me ntioned
above, the RMU Monitoring Procedures Manual addresses both regular and ARRA Title I funds.
OFA will train members of the RMU on t he Monitoring Procedures Manual once the manual is
approved.

        PRDE SAEE also remains committed to effectively staffing the program monitoring unit.
The Draft alleges that the SAEE needs additional staff to effectively monitor the IDEA program.
Specifically, the D raft states t hat t wo g eneral s upervisors a nd t wo s pecialists i n e ducation
research are n eeded. The S AEE com pleted a ne eds as sessment and de termined only t wo
additional employees are needed to adequately monitor the IDEA program. One of the positions
has be en c ontracted and S AEE is a ctively s earching to fill the single r emaining open position.
Additionally, a s m entioned a bove, S AEE i s a lso de veloping a ppropriate f iscal m onitoring
policies and procedures (covering both regular and ARRA funds) and will soon have IDEA fiscal
monitors i n t he pr oposed F iscal M onitoring Unit, or a s pa rt of another uni t r esponsible f or
monitoring IDEA funds. PRDE’s Finance Division will train the FMU monitors on t he SAEE-
developed IDEA fiscal monitoring policies and procedure once finalized and approved.

Finding No. 5 – Monitoring the Procurement Process

        PRDE disagrees in part with the Draft’s recommendations regarding the monitoring of its
procurement process. T he Draft states that PRDE has not fully established a monitoring unit or
developed a monitoring plan and/or guidance to effectively monitor Purchasing Officers and the
current and past performance of vendors. F urther, the Draft alleges PRDE has not reviewed its
procurement procedures to ensure procurement processes funded under ARRA are conducted in
accordance with the requirements governing ARRA.

         PRDE is committed to ensuring its Central Purchasing Office (CPO) effectively monitors
the pe rformance of P urchasing O fficers a nd ve ndors a nd i s i n t he pr ocess of e stablishing a nd
staffing the proposed CPO Monitoring Unit. PRDE has determined a staffing level of three will
satisfy thi s uni t’s ne eds. P RDE expects to c ontract the se r esponsibilities out unt il it is a ble t o
create and hire the new positions.

        While t he proposed C PO M onitoring Unit has not yet been established and s taffed, t he
CPO ha s i mplemented a n i nterim a pproach t o ha ndling t he r esponsibilities pr oposed t o be
managed by the CPO Monitoring Unit. The CPO regularly monitors the workflow quantity and
status of r equisitions, d elivery o rders, a nd pur chase or ders a s w ell a s t he c umulative dol lar
amounts b y pu rchasing category. T he C PO i ssues w eekly reports on t hese f igures w hich are
analyzed and di scussed during w eekly C PO s taff m eetings. Based on t hese r eports, ne cessary
                                                     5
                                         Enclosure B
                                       PRDE Comments
follow-up a ctivities a re c onducted t o e nsure d elivery a nd r eceipt of procured i tems. C PO
leadership monitors the data by region and by individual buyer to identify outliers or otherwise
concerning statistics. Where concerns are identified, appropriate follow-up action is taken.

        Additionally, i n t erms o f m onitoring t he P urchasing O fficers, t he C PO i s s tructured t o
ensure two levels of review of Purchasing Officer work. C PO Supervisors are the first level of
review of Purchasing Officer work. The supervisors are located at both the central and regional
levels, and each supervisor oversees three Purchasing Officers. The supervisors review all work
completed by the Purchasing Officers. The CPO Director constitutes the second level of review,
and spot c hecks P urchasing O fficer w ork already r eviewed b y t he S upervisors. T his doubl e
layer of review helps ensure all purchasing orders are properly completed and approved.

        The C PO has m onitoring p rocedures i n pl ace, w hich P RDE i s s cheduled t o review and
revise, as appropriate, the monitoring procedures prior to the end of the calendar year. P RDE’s
established pr ocurement pr ocedures a pply for all pr ocurement a ctivities, r egardless of funding
source. P RDE will review its procedures to ensure procurement processes funded under ARRA
are conducted in accordance with the requirements governing ARRA. If any necessary changes
or additions are identified, PRDE will revise its procedures accordingly.

         PRDE ha s com pleted a r eview o f i ts pol icy r egarding t he h andling of i nvoices b y
Purchasing O fficers a nd ha s de termined s aid pr ocedures m aintain a n a dequate s egregation of
duties. F irst, t he Draft’s de scription o f A rticle 81 of P RDE’s P rocurement P olicies and
Procedures m isstates t he r ole of t he P urchasing O fficers with regard t o t he receipt of i nvoices.
Article 81 does assign Purchase Officers the task of providing follow-up support to the payment
process to avoid unnecessary delays; however, contrary to the Draft’s interpretation, Purchasing
Officers are not responsible for obtaining vendors’ invoices or preparing hard copy packages for
each purchase order to send to the Accounts Payable (AP) Division. R ather, the AP Division is
charged w ith r eceiving invoices a nd s upporting doc umentation. I n t he c ase of s ervices, the
invoices a nd s upporting doc umentation are f irst r eceived a t t he s pecific of fice c ontracted t o
receive the services. The invoices are reviewed, certified, and then passed on to the AP Division.
In t he c ase of goods, t he i nvoices go di rectly t o t he AP D ivision f rom t he ve ndor. T he A P
Division is responsible for notifying Hacienda to issue payment.

        In response t o t he P RDE Internal A udit R eport on t he 2007 C ompliance A greement
Quarterly P rogress R eport f or t he pe riod e nded December 2009, a nd t o e nsure s egregation of
duties, the P RDE D irector of t he P rocurement O ffice i ssued a l etter cl arifying t he pr ocess and
reinforcing t he proper roles of t he P urchasing O fficers and t he AP Division with regard t o t he
receipt and review of invoices. This letter, dated January 14, 2010, is included as Attachment E.

Finding No. 6 – Documentation to Support Payments Made with IDEA ARRA Funds

       PRDE ha s s upporting doc umentation of t he pr ocurement pr ocess r esulting i n t he
purchase of the annual software license from Computer Automation Systems, Inc. (CAS) as well
as documentation for the $2,051,000 in payments made to CAS, including evidence that services
were rendered in accordance with the agreement between CAS and PRDE.


                                                    6
                                         Enclosure B
                                       PRDE Comments
        CAS i s the ow ner of S EASweb s oftware, w hich P RDE us es f or ma intaining its s pecial
education da ta i slandwide. In or der t o us e t his s oftware, P RDE m ust pur chase an a nnual
software l icense f rom C AS each year. T he A udit R eport ci tes an invoice and accompanying
proposal t hat w ere s ubmitted b y C AS t o P RDE t otaling $4.6 m illion; how ever, P RDE ne ver
accepted t his pr oposal n or e ntered i nto a c ontract w ith C AS f or t he s ervices de tailed i n t hat
proposal. PRDE determined that it did not require the additional services CAS was offering as a
package i n a ddition to t he a nnual s oftware l icense i n s aid pr oposal. A ccordingly, P RDE
proceeded t hrough t he procurement pr ocess t o pur chase t he annual s oftware l icense, a nd no
additional goods or s ervices, f rom C AS f or a t otal c ost of $2,051,000. A c opy o f t he i nvoice
submitted by CAS to PRDE for the annual license reflecting this price is included at Attachment
F. T he description section of the invoice details that the purchase is for the SEASweb Special
Education M anagement Systems A nnual License. T he f inal cost f or t he stand alone a nnual
license is higher than the costs included in the proposal because CAS was offering a discounted
price on the license if PRDE were to purchase a larger package of goods and services from CAS.

        The cost of the annu al license w as determined based on C AS’s price sheet, included as
Attachment G . P RDE’s s tudent c ount in S EASweb f or 2009 w as 121,339. T he c ost of the
annual license is based on a Usage Fee of $16 per student. Accordingly, the 2009 Usage Fee was
$1,941,424 ( 121,339 * 16 ). P RDE al so elected to purchase t he S EAS S oftware A nnual
Maintenance for a n a dditional f ee of $187,500. T he t otal of t he A nnual M aintenance and t he
Usage Fee was $2,128,924. PRDE received a discount of $77,924 for its purchase of the Annual
Maintenance, as evidenced by the written statement from CAS, included as Attachment H. Thus,
the adjusted total cost of the SEASWeb Annual license and maintenance was $2,051,000.

        This pur chase of t he an nual s oftware l icense granted PRDE acc ess t o and use of t he
SEASweb program for t he period O ctober 20, 2 009 t hrough S eptember 19, 2010. P RDE paid
CAS invoice in two installments: (1) $594,790 paid on March 25, 2010 and (2) $1,456,210 paid
on March 19, 2010. A copy of PRDE’s accounting records for these two payments is included at
Attachment I. P RDE received access to the SEASweb program for the period governed by the
license.




                                                    7